In each domain, the domain security officer can edit the DSO role, and grant the role to users and groups. Initially, the DSO role is granted only to the “pso” user.
WARNING! Do not delete the DSO role. If you delete the DSO role before permission to access the controlling assets is granted to another role, no one can access anything in the domain.
Table 5-2 describes the permissions you must have to manage the DSO role.
Action |
Permissions required |
|---|---|
List the properties of a DSO role. |
LIST on the role controlling asset. |
Update the properties of a DSO role. |
READ and UPDATE on the role controlling asset. |
Grant the DSO role to users or groups. |
GRANT on the role controlling asset. |
Editing the DSO role
To edit the DSO role name, DN, or description:
In the Domain Manager tree view, expand the domain, and highlight Roles.
In the right pane, highlight the role, right-click, and select Edit Role.
In the Edit Role dialog box, modify the values you want to change, and click OK.
Granting the DSO role
to users
In the Domain Manager tree view, expand the domain, and highlight Roles.
In the right pane, highlight the role, right-click, and select Manage User Roles.
In the Manage User Roles dialog box, select the organization in the left list box. The users in this organization display in the adjacent list box.
The users to whom the DSO role is granted display in the Grant Role To list box. The organization to which each user belongs also displays, in parentheses. The users who inherit the DSO role because they belong to a group that is granted the DSO role display in the Inherited By list box.
Select a user to whom you want to grant the DSO role, and click Add. To grant the DSO role to all users in this organization, click Add All.
To grant the DSO role to users in other organizations, repeat steps 3 and 4.
To revoke the DSO role from a user, highlight the user in the Grant Role To list box, and click Remove. To revoke the DSO role from all users in this organization, click Remove All.
To revoke the DSO role from users in other organizations, repeat steps 3 and 4.
Granting the DSO role
to groups
In the Domain Manager tree view, expand the domain, and highlight Roles.
In the right pane, highlight the role, right-click, and select Manage Group Roles.
In the Manage Group Roles dialog box, select the organization in the left list box. The users in this organization display in the adjacent list box. The groups to whom the role is granted display in the Grant Role To list box. The organization to which each group belongs also displays, in parentheses.
Select a group to which you want to grant the DSO role, and click Add. To grant the DSO role to all groups in this organization, click Add All.
To grant the DSO role to groups in other organizations, repeat steps 3 and 4.
To revoke the DSO role from a group, highlight the group in the Grant Role To list box, and click Remove. To revoke the DSO role from all groups in this organization, click Remove All.
To revoke the DSO role from groups in other organizations, repeat steps 3 and 4.
