Knowledge Partner
Knowledge Partner
1456 views

User and Role management?

The docs aren't very helpful on this, I'm afraid (I'm submitting feedback).

All it says is that an Administrator cannot define users/roles, that is done at the LDAP server.
But then it doesn't tell you how to configure things on the LDAP Server to adjust this?

Example:

Users are only created upon login to ZR5. You can't apparently "browse" the LDAP directory for a list of users ahead of time and assign rights (why not, I don't know, but that should be a basic feature, IMO since ZRS had it).

So, what I need to do is somehow configure ZR5 so that:
If you login, and are a member of a specific LDAP group, you are a ZR5 Administrator
If you login, and are a member of a DIFFERENT LDAP Group, you are a ZR5 User
Labels (2)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: User and Role management?

kjhurni;2304081 wrote:
The docs aren't very helpful on this, I'm afraid (I'm submitting feedback).

All it says is that an Administrator cannot define users/roles, that is done at the LDAP server.
But then it doesn't tell you how to configure things on the LDAP Server to adjust this?

Example:

Users are only created upon login to ZR5. You can't apparently "browse" the LDAP directory for a list of users ahead of time and assign rights (why not, I don't know, but that should be a basic feature, IMO since ZRS had it).

So, what I need to do is somehow configure ZR5 so that:
If you login, and are a member of a specific LDAP group, you are a ZR5 Administrator
If you login, and are a member of a DIFFERENT LDAP Group, you are a ZR5 User


Oh, and then I also need the ability like we had in ZRS:

Some users can create reports, but they are NOT administrators of the entire server. However, this does not appear to be able to be done (at least the ZR5 docs indicate that there's only two roles: Administrator and User and if you want to create a report, you have to be an Administrator). which means you end up giving your CIO and stuff full Admin rights to the server configuration just because they want to create a report.

Unless the docs are wrong and there's a way to create a user with JUST the ability to create a report?
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: User and Role management?

Hello Kevin,

Firstly I agree, that unfortunately documentation is bit lacking on this point. We are working to improve it and hopefully, you should see more details around this in some time.
Coming to your list of issues:

#1. Yes, it is not currently possible with-in ZR5 to add users by directly browsing through a LDAP directory. We are planning to add this in next release. However, this shouldn't come in your way of setting up users in ZR 5. ZR 5 Automatically add users as and when a user logs in.

#2. If you login, and are a member of a specific LDAP group, you are a ZR5 Administrator.
I understand that during installation of ZR 5, you would have specified Admin groups in LDAP directory. These groups are mapped to Role_Administrator in ZR 5. Any user who belongs to these groups in LDAP directory, when logs in to ZR 5 would have Administrator Rights.

#3. If you login, and are a member of a DIFFERENT LDAP Group, you are a ZR5 User
By default whenever any other user (not belonging to above Admin Group) in LDAP directory logs in, Following things happen:
1. User is automatically created in ZR 5. By default a user is assigned Role_User in ZR 5, which has no rights to do anything or see anything.
2. All the Groups, a user is part of, are created as roles in ZR 5. So say User A logs in to ZR 5 and she belongs to Grp1 & Grp 2. At this time, in ZR 5, Role_Grp1 & Role_Grp2 are created. These Roles have no rights assigned to it. Subsequently, an administrator can right click on any repository object and assign a role, a set of permissions. In above example, an admin can right click on Reports folder, click permissions, and assign Role_Grp1, 'execute only' permission. In ZR5, when resolving permissions, most lenient set of permissions are applied.

Hope this helps. So it is not necessary for a CIO to be admin to just create a report. Obviously this assumes that a CIO is never a part of Admin group 🙂 Let me know, if you have further set of questions.

Vikram

kjhurni;2304083 wrote:
Oh, and then I also need the ability like we had in ZRS:

Some users can create reports, but they are NOT administrators of the entire server. However, this does not appear to be able to be done (at least the ZR5 docs indicate that there's only two roles: Administrator and User and if you want to create a report, you have to be an Administrator). which means you end up giving your CIO and stuff full Admin rights to the server configuration just because they want to create a report.

Unless the docs are wrong and there's a way to create a user with JUST the ability to create a report?
0 Likes
Knowledge Partner
Knowledge Partner

Re: User and Role management?

gvikram;2304600 wrote:
Hello Kevin,

Firstly I agree, that unfortunately documentation is bit lacking on this point. We are working to improve it and hopefully, you should see more details around this in some time.
Coming to your list of issues:

#1. Yes, it is not currently possible with-in ZR5 to add users by directly browsing through a LDAP directory. We are planning to add this in next release. However, this shouldn't come in your way of setting up users in ZR 5. ZR 5 Automatically add users as and when a user logs in.

#2. If you login, and are a member of a specific LDAP group, you are a ZR5 Administrator.
I understand that during installation of ZR 5, you would have specified Admin groups in LDAP directory. These groups are mapped to Role_Administrator in ZR 5. Any user who belongs to these groups in LDAP directory, when logs in to ZR 5 would have Administrator Rights.

#3. If you login, and are a member of a DIFFERENT LDAP Group, you are a ZR5 User
By default whenever any other user (not belonging to above Admin Group) in LDAP directory logs in, Following things happen:
1. User is automatically created in ZR 5. By default a user is assigned Role_User in ZR 5, which has no rights to do anything or see anything.
2. All the Groups, a user is part of, are created as roles in ZR 5. So say User A logs in to ZR 5 and she belongs to Grp1 & Grp 2. At this time, in ZR 5, Role_Grp1 & Role_Grp2 are created. These Roles have no rights assigned to it. Subsequently, an administrator can right click on any repository object and assign a role, a set of permissions. In above example, an admin can right click on Reports folder, click permissions, and assign Role_Grp1, 'execute only' permission. In ZR5, when resolving permissions, most lenient set of permissions are applied.

Hope this helps. So it is not necessary for a CIO to be admin to just create a report. Obviously this assumes that a CIO is never a part of Admin group 🙂 Let me know, if you have further set of questions.

Vikram


Thank you Vikram.

If there are only 2 roles used by ZR5:
Admin
and
User

But, if you have additional eDir/LDAP groups, you can create a special group in eDir (for example) called:
Report Creators

Then assign the ZR5 user to that role (once they have logged into ZR5)
and then (as an Administrator), give the role: Report Creators, the ability to create a report?
0 Likes
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Re: User and Role management?

Role_Administrator & Role_User are default roles in ZR 5. I would recommend that you don't change the permissions assigned to these roles.

The methodology suggested by you should work with just a modification.
1. You would need to assign your users to Report Creators in E-Dir & Not in ZR 5. Through ZR 5 you can't assign users to Roles. ZR 5 replicates your LDAP directory structure.
2. Then as you suggested, you can assign proper permissions to Role_Report_Creators in ZR 5, and all users who are part of this group, would be able to create the reports.

In summary, Roles & Users are handled through LDAP, while Rights assigned to Roles & Users handled through ZR 5.

Hope this helps.

Regards
Vikram

kjhurni;2304661 wrote:
Thank you Vikram.

If there are only 2 roles used by ZR5:
Admin
and
User

But, if you have additional eDir/LDAP groups, you can create a special group in eDir (for example) called:
Report Creators

Then assign the ZR5 user to that role (once they have logged into ZR5)
and then (as an Administrator), give the role: Report Creators, the ability to create a report?
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.