Creating and managing groups  Creating and managing roles

Chapter 3: Setting Up Security

Managing groups

In the Organization Manager tree view, select an organization, and highlight Groups. The groups that belong to this organization display in the right pane.

For information about the self-registration group, see “Self-registration group”.

StepsEditing a group’s properties

  1. In the Organization Manager tree view, select the organization, and highlight Groups.

  2. In the right pane, highlight the group, right-click, and select Edit Group. The Edit Group dialog box displays.

  3. Modify the group’s properties, and click OK.

StepsAdding or removing users from a group

Before you can add users to a group, you must create the users—see “Creating and managing user accounts”.

  1. In the Organization Manager tree view, select the organization, and highlight Groups.

  2. In the right pane, highlight the group you want to edit, right-click, and select Edit Members. The Edit Group Members dialog box displays.

  3. In the left list box, select the organization. The users that belong to this organization display in the middle list box.

  4. To add a user to the group, highlight the user name, and click Add. The user name displays in the Members list box.

    Repeat this step for each user you want to add to the group.

  5. To remove a user from the group, highlight the user name in the Members list box, and click Remove.

  6. When you are done, click OK.

StepsMoving a group between organizations

  1. In the right pane, highlight the group, right-click, and select Change Organization. The Change Group Organization dialog box displays.

  2. Highlight the organization to which you want to move the group, and click OK.

StepsManaging a group’s roles

If you add a user to a group that has been granted roles, the user inherits these roles. Every group member assumes a group’s roles when they log in to the secured system.

Before you can grant a role to a group, you must create the group and the role. To create a group, see “Creating a group”. To create roles, see “Creating a role”.

  1. In the right pane, highlight the group whose roles you want to edit, right-click, and select Edit Roles. The Edit Group Roles dialog box displays.

  2. In the left list box, select an organization. The roles defined for this organization display in the center list box.

  3. To grant a role, select a role in the center list box, and click Add. The role displays in the Granted Roles list. The name of the organization to which each role belongs also displays, in parentheses.

    To add another role that is defined within the same organization, repeat this step.

    To add a role that is defined in another organization, repeat steps 2 and 3.

  4. To revoke a role from the group, select a role in the right list box, and click Remove.

  5. Click OK.

StepsDeleting a group

  1. In the right pane, highlight the group, right-click, and select Delete Group.

  2. Confirm that you want to delete the selected group.


Self-registration group

New users of Sybase components can register their user information directly to the system, thus becoming a member of the self-registration group. Members of this group can access the assets that this group is allowed to access.

Every member of this group has identical permissions to access enterprise components. In an upgraded environment, all previously registered users maintain their access permission according to permissions granted to their original roles.

Enterprise Security supports only one self-registration group, which is, by default, installed into the root organization. This allows users to self-register in the root organization or any of the suborganizations.

NoteIf you are using Enterprise Portal, and you want roles to be granted automatically to users who self-register, grant these roles to the self-registration group—see “Managing a group’s roles”.

StepsChanging the DN of the self-registration group

When you install and configure Enterprise Security, the self-registration group is added to the Enterprise Security Manager interface.

By default, the distinguished name (DN) of the self-registration group is SelfRegGroup. The PSO can change the DN by editing security.properties. If the PSO changes the default DN of this group, he or she must then create the group in the ACDB using Enterprise Security Manager; otherwise, attempts to self-register fail.

  1. Using any standard ASCII text editor, open security.properties.The location depends on your application server:

  2. Search for this line:

    selfRegistrationGroupName=gr\=SelfRegGroup,dc\=sybase,dc\=com

  3. Change “SelfRegGroup” to the DN of your choice, and save the file.

  4. Start Enterprise Security Manager.

  5. In the middle pane, select the organization, highlight Groups, then click New.

  6. Enter the group name. This name must match the name that you specified in security.properties. You can also enter a description, then click OK.

    The group is created, and viewable via Enterprise Security Manager.

  7. Optionally, grant roles to the self-registration group. Follow the instructions for “Managing a group’s roles”.

StepsRestricting the self-registration group to a suborganization

To restrict the self-registration group’s access to a particular suborganization’s assets, you must supply the group’s full DN as part of the self-registration group name in security.properties, and configure the self-registration group in that suborganization.

  1. Following are examples of group DNs. The first defines a group in the root organization, and the second defines a group in a suborganization.




Copyright © 2004. Sybase Inc. All rights reserved. Creating and managing roles

View this book as PDF