G.5. Setting Access Controls

Access control instructions (ACIs) can be set in the Red Hat Management Console to set limits on what users can see and what operations they can perform on Red Hat Directory Server and Administration Server instances managed in the Console.
ACIs define what operations users can do with a specific instance of Red Hat Directory Server or Administration Server. ACIs set rules on areas of the subtree which can be accessed or modified, what operations are allowed, even what hosts can be used to access the server and what times of day access is allowed.
For Red Hat Management Console, access controls can be used to grant administrative privileges very easily to specific users and to set restrictions on different aspects of the main Console, such as searching the directory, adding and editing users and groups, and editing server or Console settings.

G.5.1. Granting Admin Privileges to Users for Directory Server and Administration Server

Users can be granted administrative privileges, the same as the admin user for the Administration Server and similar to the cn=Directory Manager user in Directory Server (though not exactly the same as the Directory Manager, which is a special user).
  1. Highlight a server in the Console navigation tree.
  2. Select the Object menu, and choose Set Access Permissions.
    Alternatively, right-click the entry, and choose Set Access Permissions.
  3. Click Add to add a new user to the list of administrators for the server. The default users, Directory Manager for the Directory Server and admin for the Administration Server, are not listed in the Set Permissions Dialog box.
  4. Search for the users to add as an administrators. In the results, highlight the selected users, and click Add to add them to the administrators list.
    For more information on searching for users and groups, see Section G.4.1, “Searching for Users and Groups”.
  5. Click OK to add the names to the Set Permissions Dialog list, then click OK again to save the changes and close the dialog.

Note

Granting a user the right to administer a server does not automatically allow that user to give others the same right. To allow a user to grant administrative rights to other users, add that user to the Configuration Administrators group, as described in Section G.4.3.3.3, “Adding Users to the Configuration Administrators Group”.

G.5.2. Setting Access Permissions on Console Elements

There are five elements defined in the Console for access control rules:
  • User and Groups Tab (viewing)
  • User and Groups Tab (editing)
  • Topology Tab (editing)
  • Custom View Tab (editing)
  • Server Security (editing)
By default, each of these Console elements has five inherited ACIs:
  • Enabling anonymous access
  • Default anonymous access
  • Configuration administrator's modifications
  • Enabling group expansions
  • SIE (host) group permissions
These inherited ACIs cannot be edited, but new ACIs can be added for each Console element in addition to these defaults. Additional ACIs can limit anonymous access, for example, and change other permissions within the Red Hat Management Console, which, in turn, affects access to the Directory Server and Administration Server instances.
To create new ACIs:
  1. In the top menu, select Edit and then Preferences.
  2. Select the Console element from the list, and click the Permissions button.
  3. In the ACI Manager window, click the New button.
    The five inherited ACIs are not displayed by default; to see them listed, click the Show inherited ACIs check box.
  4. Configure the ACI by setting, at a minimum, the users to which it applies and the rights which are allowed. To configure the ACI in the wizard (visually):
    1. Enter a name for the ACI in the ACI Name field.
    2. In the Users/Groups tab, click the Add button to open the search window. Search for and add the users to which apply the ACI.
      Select the users from the results list and click the Add button to include them. Click OK to save the list.
    3. In the Rights tab, specify which operations are permitted as part of this ACI.
      To hide a Console element entirely from the selected users, groups, and hosts, click Check None to block any access.
    4. Optionally, set the target entry in the subtree, hostnames, or times of day where the ACI is in effect.
    More complex ACIs may not be able to be edited visually; in those cases, click the Edit Manually button, and configure the ACI entry directly.
    Use the Check syntax button to validate the ACI.
  5. Click OK to save the ACI.
  6. Restart Red Hat Management Console to apply the new ACI.