Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
2643 views

create groups but not users in a container ITCOM

I have a group of user called deptadmins.

We want them to perform certain actions in a container. We have decided
against Console 1.
I am trying to give them rights, to change users names, telephone
numbers and group memberships, simple things this went OK.
My problem is that I do not want them to be able to create new users,
but I do want them to be able to create groups. Is this possible ? I
have been trying with trustee of the object, and assigned rughts, am I
in the correct place ?

Thanks in advance Greg
Labels (2)
0 Likes
11 Replies
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

This is not possible really w/o 3rd party tools such as DSRazor.

There are ways to create Roles in Imanager that may do this, but often
this grants users permissions to do things outside of Imanager (C1 for
example) that you may not expect.


Greg Taylor wrote:
> I have a group of user called deptadmins.
>
> We want them to perform certain actions in a container. We have decided
> against Console 1.
> I am trying to give them rights, to change users names, telephone
> numbers and group memberships, simple things this went OK.
> My problem is that I do not want them to be able to create new users,
> but I do want them to be able to create groups. Is this possible ? I
> have been trying with trustee of the object, and assigned rughts, am I
> in the correct place ?
>
> Thanks in advance Greg



--
Craig Wilson
Novell Product Support Forum Sysop
Master CNE, MCSE 2003, CCN
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

We have different products that can handle this differently. Our DSMETER
product allows you to create security granularity profiles to control which
object classes certain users/groups/orgroles can create and/or delete. For
each object class (user, group, printer, etc) you can specify whether they
are allowed to create or delete or both or neither. Our DSRAZOR product
allows you to give the helpdesk staff a custom EXE that only allows them to
do the functions you want such as creating groups and changing user phone
numbers. We offer personalized web demos where we can show you in your
browser the features of both DSMETER and DSRAZOR to see which one may be a
better fit for your overall needs. You can also get a 30-day evaluation of
DSMETER or a 7-day evaluation of DSRAZOR from:
http://www.visualclick.com/?source=060506objectclass


"craig wilson" <craig_d_wilson@yahoo.com> wrote in message
news:vCXgg.3803$8_3.1579@prv-forum2.provo.novell.com...
> This is not possible really w/o 3rd party tools such as DSRazor.
>
> There are ways to create Roles in Imanager that may do this, but often
> this grants users permissions to do things outside of Imanager (C1 for
> example) that you may not expect.
>
>
> Greg Taylor wrote:
>> I have a group of user called deptadmins.
>>
>> We want them to perform certain actions in a container. We have decided
>> against Console 1.
>> I am trying to give them rights, to change users names, telephone numbers
>> and group memberships, simple things this went OK.
>> My problem is that I do not want them to be able to create new users, but
>> I do want them to be able to create groups. Is this possible ? I have
>> been trying with trustee of the object, and assigned rughts, am I in the
>> correct place ?
>>
>> Thanks in advance Greg

>
>
> --
> Craig Wilson
> Novell Product Support Forum Sysop
> Master CNE, MCSE 2003, CCN



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

On Mon, 05 Jun 2006 13:55:14 GMT, Greg Taylor <taylorg@ilo.org> wrote:

>My problem is that I do not want them to be able to create new users,
>but I do want them to be able to create groups. Is this possible ?


Nope. Not so far. eDirectory "Create" rights is for all object types. This is
still something that Novell need to do as an enhancement to eDirectory. Please
go to the Enhancements Request web page and put in your vote for more granular
ACLs to allow for things like "Create Group" or "Create All Except for User" to
be set up in the directory.

In the mean time, if you're using IDM2 or IDM3, I've been working on a set of
IDM Policies you might find interesting. They won't stop the create, but they
can be used to react to unauthorized creates to do something else (remove the
account, disable the account, send email to your security officer, etc.). Post a
query in the novell.support.identity-manager.engine-drivers newsgroup if you're
interested in something like this.


---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu

I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

Nice Idea David.

David Gersic wrote:
> On Mon, 05 Jun 2006 13:55:14 GMT, Greg Taylor <taylorg@ilo.org> wrote:
>
>> My problem is that I do not want them to be able to create new users,
>> but I do want them to be able to create groups. Is this possible ?

>
> Nope. Not so far. eDirectory "Create" rights is for all object types. This is
> still something that Novell need to do as an enhancement to eDirectory. Please
> go to the Enhancements Request web page and put in your vote for more granular
> ACLs to allow for things like "Create Group" or "Create All Except for User" to
> be set up in the directory.
>
> In the mean time, if you're using IDM2 or IDM3, I've been working on a set of
> IDM Policies you might find interesting. They won't stop the create, but they
> can be used to react to unauthorized creates to do something else (remove the
> account, disable the account, send email to your security officer, etc.). Post a
> query in the novell.support.identity-manager.engine-drivers newsgroup if you're
> interested in something like this.
>
>
> ---------------------------------------------------------------------------
> David Gersic dgersic_@_niu.edu
>
> I'm tired of receiving rubbish in my mailbox, so the E-mail address is
> munged to foil the junkmail bots. Humans will figure it out on their own.



--
Craig Wilson
Novell Product Support Forum Sysop
Master CNE, MCSE 2003, CCN
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

Greg Taylor wrote:

> I have a group of user called deptadmins.
>
> We want them to perform certain actions in a container. We have
> decided against Console 1. I am trying to give them rights, to
> change users names, telephone numbers and group memberships, simple
> things this went OK. My problem is that I do not want them to be
> able to create new users, but I do want them to be able to create
> groups. Is this possible ? I have been trying with trustee of the
> object, and assigned rughts, am I in the correct place ?


As Craig already said, this is going to be tricky.
Those deptadmins need create entry rights and therefore they will be
able to create all objects. If you could live with that you can then
give them the property rights to modify usernames, group membership etc.

If you don't use ConsoleOne what are you using then ? You could do this
with RBS and iManager.


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

On Mon, 05 Jun 2006 17:15:14 GMT, "Christine Malik" <cmalik@visualclick.com>
wrote:

>We have different products that can handle this differently. Our DSMETER
>product allows you to create security granularity profiles to control which


Your web site doesn't say how it does this. Is DSMeter acting as a proxy, so
that the helpdesk users actually have no rights to do anything? Or are you
handling the eDirectory events and responding to them based on policy decisions?


---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu

I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

As the other guys indicated correctly, this will not work straightforward,
since create rights do not differentiate between various object classes.

Custom iManager tasks could be an easy workaround, but you'd have to make
sure that users do not access the tree with other tools (security
implemented in application layer).

Secure alternatives would be applications that act as proxy for the user who
requests the object creation, e.g.:
* an IDM driver that reacts on custom events
* an iManager custom java plugin or other (Win/NW/UX) service that uses a
proxy concept to create the group in behalf of the requesting person.

Wolfgang

"Greg Taylor" <taylorg@ilo.org> wrote in message
news:6JWgg.3746$8_3.305@prv-forum2.provo.novell.com...
>I have a group of user called deptadmins.
>
> We want them to perform certain actions in a container. We have decided
> against Console 1.
> I am trying to give them rights, to change users names, telephone numbers
> and group memberships, simple things this went OK.
> My problem is that I do not want them to be able to create new users, but
> I do want them to be able to create groups. Is this possible ? I have been
> trying with trustee of the object, and assigned rughts, am I in the
> correct place ?
>
> Thanks in advance Greg



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

The way DSMETER handles this is by being a second and more granular security
check. First the eDir/NDS privileges are checked by NetWare itself - we
assume these users will pass through that first security gate since you are
giving them Create privileges to their own container. Next the request is
handled by DSMETER.NLM which checks to see if there is a DSMETER Security
Granularity profile defined that would affect this user (the profile can be
defined for a user, a group of users, or an org role). If there is a
DSMETER security granularity profile defined to indicate which object
classes the user can create/delete, DSMETER checks to see if the type of
object they are trying to create/delete is allowed by the profile or not.
If it is not allowed, DSMETER.NLM kills the request. If DSMETER kills the
request, you can have DSMETER log this event to a log file you can run
reports on and/or send the user an error message (you can put in custom text
of the error message). In general, DSMETER.NLM can record what your users
are doing for auditing/accountability purposes (login/logout, file activity,
object creation, rights changes, etc) and for certain tasks DSMETER.NLM can
control/block what they do (examples: security granularity by object class
and blocking writes or deletes of files such as blocking writing mp3 files
to your servers). Please feel free to contact us in tech support to answer
questions or show you a web demo. The tech support contact info is on our
website:
http://www.visualclick.com/?source=060506objectclass


"David Gersic" <dgersic_@_niu.edu> wrote in message
news:448482a5.21171833@support-forums.novell.com...
> On Mon, 05 Jun 2006 17:15:14 GMT, "Christine Malik"
> <cmalik@visualclick.com>
> wrote:
>
>>We have different products that can handle this differently. Our DSMETER
>>product allows you to create security granularity profiles to control
>>which

>
> Your web site doesn't say how it does this. Is DSMeter acting as a proxy,
> so
> that the helpdesk users actually have no rights to do anything? Or are you
> handling the eDirectory events and responding to them based on policy
> decisions?
>
>
> ---------------------------------------------------------------------------
> David Gersic dgersic_@_niu.edu
>
> I'm tired of receiving rubbish in my mailbox, so the E-mail address is
> munged to foil the junkmail bots. Humans will figure it out on their own.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

On Tue, 06 Jun 2006 19:58:15 GMT, "Christine Malik" <cmalik@visualclick.com>
wrote:

>The way DSMETER handles this is by being a second and more granular security
>check. First the eDir/NDS privileges are checked by NetWare itself - we
>assume these users will pass through that first security gate since you are
>giving them Create privileges to their own container. Next the request is
>handled by DSMETER.NLM which checks to see if there is a DSMETER Security
>Granularity profile defined that would affect this user (the profile can be
>defined for a user, a group of users, or an org role).


Cool. Thanks.

So, one more follow up question: what do you do when the ring contains servers
other than NetWare...?


---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu

I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

On Mon, 05 Jun 2006 19:04:29 GMT, craig wilson <craig_d_wilson@yahoo.com> wrote:

>Nice Idea David.


Thanks. We actually did this a few years ago, using NetVision's Directory Alert
product. Works fine, but expen$ive due to the combination of their licensing
model and our account creation and retention policies. Re-implimenting the same
thing in IDM policies has taken me about a week of development time, but will
save us the $$$/year license to NetVision.

NetVision has some good products. Implimented fully, some of their stuff would
be really cool. We specifically only need a subset of their functionality, and
being a public university, we're state funded and saving real dollars is always
a good thing.


---------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu

I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: create groups but not users in a container ITCOM

Currently DSMETER only audits and/or controls activity on NetWare servers.

"David Gersic" <dgersic_@_niu.edu> wrote in message
news:4485e9b3.27261509@support-forums.novell.com...
> On Tue, 06 Jun 2006 19:58:15 GMT, "Christine Malik"
> <cmalik@visualclick.com>
> wrote:
>
>>The way DSMETER handles this is by being a second and more granular
>>security
>>check. First the eDir/NDS privileges are checked by NetWare itself - we
>>assume these users will pass through that first security gate since you
>>are
>>giving them Create privileges to their own container. Next the request is
>>handled by DSMETER.NLM which checks to see if there is a DSMETER Security
>>Granularity profile defined that would affect this user (the profile can
>>be
>>defined for a user, a group of users, or an org role).

>
> Cool. Thanks.
>
> So, one more follow up question: what do you do when the ring contains
> servers
> other than NetWare...?
>
>
> ---------------------------------------------------------------------------
> David Gersic dgersic_@_niu.edu
>
> I'm tired of receiving rubbish in my mailbox, so the E-mail address is
> munged to foil the junkmail bots. Humans will figure it out on their own.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.