System information

ManualsBrandsRed Hat ManualsComputer equipmentDIRECTORY SERVER 7.1 - GATEWAY CUSTOMIZATION

100

Identity Manager Administration Guide

Part Number 820-2952-10 Page 95

• The following information should be added to the “Understanding and Managing

Capabilities” section. (ID-14630, 15614)

Identity Manager provides a built-in ObjectGroup/organization called End User that,

initially, has no member objects. The

End User

ObjectGroup/organization is implicitly

assigned to all users, and enables them to view several types of objects, including tasks,

rules, roles, and resources.

Previously, when users logged into the End User interface, they were automatically

granted rights to object types specified in the

EndUser

capability (such as

AdminRole

EndUserConfig

, and

EndUserTask

). Now when users log in to the End User interface,

Identity Manager also automatically gives them control of the new

EndUser

ObjectGroup.

In addition, Identity Manager evaluates a new, built-in

End

User Controlled

Organization

s rule. Any ObjectGroup/organization names returned by this rule will also

be automatically controlled by the user logging into the End User interface.

The authenticating user's view is the input argument to the

End User Controlled

Organization

rule. Identity Manager expects the rule to return one (a string) or more (a list)

organizations which the user logging into the End User interface will control. A new

End

User Administrator

capability was added that enables users to manage these new objects.

Users who are assigned the

End User Administrator

capability can view and modify

rights to object types specified in the

EndUser

capability and to the contents of the

End User

Controlled Organization

rule.

The

End User Administrator

capability is assigned to

Configurator

by default. Any

changes made to the list or to organizations returned by the evaluation of the

End User

Controlled Organization

rule will not be reflected dynamically for logged in users. These

users must log out and then log in again to see the changes.

If the

End User Controlled Organization

rule returns an invalid organization (for

example, the organization that does not exist in Identity Manager), the problem will be

logged in the System Log. You can correct the problem by logging into the Administrator

user interface and fixing the rule.

The

End User

ObjectGroup/organization is a member of

Top

and cannot have child

organizations. This ObjectGroup/organization is not displayed in the tree table on the

Accounts tab of the Administrator user interface. However, when editing objects (such as

Roles

AdminRoles

Resources

Policy

Tasks

, and so forth), you can make any object

available to the

End User

ObjectGroup/organization from the Administrator user interface.

Use this new best practice method (instead of using

End User Tasks

End User Resources

System Configuration:EndUserAccess

, and

End User

authTypes) to give end users access

to Identity Manager configuration objects such as Roles, Resources, Tasks, and so forth.

Although the

End User Tasks

End User Resources

System

Configuration:EndUserAccess

, and

End User

authTypes methods will continue to be

supported for backward compatibility.