Highlighted
indranil2121
New Member.
595 views

Restrict access to PRD

We want to available set of PRDs for set of users whose attribute isManager=true.
please suggest.
Labels (1)
0 Likes
6 Replies
kyin_ying Absent Member.
Absent Member.

Re: Restrict access to PRD

Create a Dynamic Group that has memberQuery as isManager=TRUE.
Assign the Dynamic group as the Trustee of your PRD.
This should help you to restrict the access to the PRDs.
0 Likes
indranil2121
New Member.

Re: Restrict access to PRD

Sorry to say that, I'm not understanding the concept of Trustee.
I assigned Trustee cn=uaadmin,ou=sa,o=data but every users can access the PRD.
Is there any change require apart from Trustee?
0 Likes
kyin_ying Absent Member.
Absent Member.

Re: Restrict access to PRD

You would have assigned the rights of the objects in eDirectory to Public.
Try to check and validate the right assigned in your eDirectory tree.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Restrict access to PRD

On 8/29/2018 5:26 AM, indranil2121 wrote:
>
> Sorry to say that, I'm not understanding the concept of Trustee.
> I assigned Trustee cn=uaadmin,ou=sa,o=data but every users can access
> the PRD.
> Is there any change require apart from Trustee?


A PRD is visibile in the UI, when eDirectory rights permit the logged in
user to see the object. (The PRD objcts are under the User App driver,
under the AppConfig then under the RequestDefs container).

Check the effective right in iManager of any particular user to that object.

The [Root] of the tree has [Public] granted Browse and Compare rights,
which inherit down and thus everyone can see it.

You should NOT Ttake away that Root grant of BC to [Public] so instead
you should block it with an IRF. But first explicitly grant admin Full
rights to the object/container then add an IRF.

0 Likes
indranil2121
New Member.

Re: Restrict access to PRD

Thank you for the suggestion. I modified the right in iManager.
Now I created a dynamic group where memberQuery (isManager=true) but users are not getting membership of that dynamic group.
In dynamic group with memberQuery :
Start search at(Base dn): users.data
Search Scope: Search sub container
Search Filter: (isManager=TRUE)

But the problem is member are not automatically adding to this dynamic group.
Do we need to add users manually?
If it's a dynamic group what is the benefit of it?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Restrict access to PRD

On 8/29/2018 9:34 AM, indranil2121 wrote:
>
> Thank you for the suggestion. I modified the right in iManager.
> Now I created a dynamic group where memberQuery (isManager=true) but
> users are not getting membership of that dynamic group.
> In dynamic group with memberQuery :
> Start search at(Base dn): users.data
> Search Scope: Search sub container
> Search Filter: (isManager=TRUE)
>
> But the problem is member are not automatically adding to this dynamic
> group.
> Do we need to add users manually?
> If it's a dynamic group what is the benefit of it?


I am not sure that a Dynamic group will work at all.

You cannot confer rights in eDir, which is what is needed, via a Dynamic
Group.

Now what you could do is:

Use that Dynamic Group, assign it to a Role.
The Role is linked to a Resource.
The Resource has an Entitlement
The Entitlement grants an eDir static group membership.

There is a package for Entitlements included with the loopback driver,
or else I ahve one you can use as a package.

Then the Dynamic group assigns thee role, then the resource, then the
entitlement, then the static group membership, which has security
permissions to see the PRD.

Not a stack of cards at all!

I worked with a customer who had hundreds of such assignments.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.