Show Table of Contents
G.5. Setting Access Controls
Access control instructions (ACIs) can be set in the Red Hat Management Console to set limits on what users can see and what operations they can perform on Red Hat Directory Server and Administration Server instances managed in the Console.
ACIs define what operations users can do with a specific instance of Red Hat Directory Server or Administration Server. ACIs set rules on areas of the subtree which can be accessed or modified, what operations are allowed, even what hosts can be used to access the server and what times of day access is allowed.
For Red Hat Management Console, access controls can be used to grant administrative privileges very easily to specific users and to set restrictions on different aspects of the main Console, such as searching the directory, adding and editing users and groups, and editing server or Console settings.
G.5.1. Granting Admin Privileges to Users for Directory Server and Administration Server
Users can be granted administrative privileges, the same as the
adminuser for the Administration Server and similar to the
cn=Directory Manageruser in Directory Server (though not exactly the same as the Directory Manager, which is a special user).
- Highlight a server in the Console navigation tree.
- Select the Object menu, and choose Set Access Permissions.Alternatively, right-click the entry, and choose Set Access Permissions.
- Clickto add a new user to the list of administrators for the server. The default users,
Directory Managerfor the Directory Server and
adminfor the Administration Server, are not listed in the Set Permissions Dialog box.
- Search for the users to add as an administrators. In the results, highlight the selected users, and clickto add them to the administrators list.For more information on searching for users and groups, see Section G.4.1, “Searching for Users and Groups”.
- Click OK to add the names to the Set Permissions Dialog list, then click OK again to save the changes and close the dialog.
Granting a user the right to administer a server does not automatically allow that user to give others the same right. To allow a user to grant administrative rights to other users, add that user to the Configuration Administrators group, as described in Section G.184.108.40.206, “Adding Users to the Configuration Administrators Group”.
G.5.2. Setting Access Permissions on Console Elements
There are five elements defined in the Console for access control rules:
- User and Groups Tab (viewing)
- User and Groups Tab (editing)
- Topology Tab (editing)
- Custom View Tab (editing)
- Server Security (editing)
By default, each of these Console elements has five inherited ACIs:
- Enabling anonymous access
- Default anonymous access
- Configuration administrator's modifications
- Enabling group expansions
- SIE (host) group permissions
These inherited ACIs cannot be edited, but new ACIs can be added for each Console element in addition to these defaults. Additional ACIs can limit anonymous access, for example, and change other permissions within the Red Hat Management Console, which, in turn, affects access to the Directory Server and Administration Server instances.
To create new ACIs:
- In the top menu, selectand then .
- Select the Console element from the list, and click thebutton.
- In the ACI Manager window, click the button.The five inherited ACIs are not displayed by default; to see them listed, click the Show inherited ACIs check box.
- Configure the ACI by setting, at a minimum, the users to which it applies and the rights which are allowed. To configure the ACI in the wizard (visually):
More complex ACIs may not be able to be edited visually; in those cases, click thebutton, and configure the ACI entry directly.Use thebutton to validate the ACI.
- Enter a name for the ACI in the ACI Name field.
- In the Users/Groups tab, click the button to open the search window. Search for and add the users to which apply the ACI.Select the users from the results list and click thebutton to include them. Click to save the list.
- In the Rights tab, specify which operations are permitted as part of this ACI.To hide a Console element entirely from the selected users, groups, and hosts, clickto block any access.
- Optionally, set the target entry in the subtree, hostnames, or times of day where the ACI is in effect.
- Click OK to save the ACI.
- Restart Red Hat Management Console to apply the new ACI.