Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
christiaanswane Absent Member.
Absent Member.
569 views

iManager Base Plugin assigns Admin rights to any user


Hi All,

After extensive Testing, SR's created with high priority and no solution
found (And novell back-end replicating the issue), I reported this as a
bug. But... maby there are some smarter people out there that can find a
solution or help me.

Ok, This is the scenario:

The Helpdesk staff need to create users as part of the companies
"take-on" procedure.
RBS Role's should do this for us correct? Yes... what they don't tell
you is that the users that have that specific task assigned as a
membership will suddenly get access to any OES file server path that is
listed inside your tree. (their normal login script will still mount
their personal drive, but if they manually navigate to the Server path,
they have full admin rights on every single file in assistance on that
server...) yes... full admin rights...

The Helpdesk task (and the create user task underneath it) is by default
installed with the iManager Base Plugin and cannot be modified. It is
this plugin that is causing the trouble.

The only solution is to create custom tasks using the Plugin Studio, as
members of them don't seem to inherit the rights as the iManager base
Plugin's does.

Problem: to create my own "create user" task in the plugin studio, seems
to be a nightmare. Not only is there only a short line description in
the manual:
http://tinyurl.com/pdvr3qs
But they reference nothing about the 50+ classes that you can choose
from, and the 100's of attributes allocated to each of the classes.
The "copyfromtemplate" attribute I cannot find which is the basis of the
reason why we want to be able to create users this way.

Please tell me someone has all-ready gone through the process of
creating the same plugin I require, or can help me in the right
direction of creating the plugin.

Much Appreciated,
Christiaan Swanepoel


--
christiaanswanepoel
------------------------------------------------------------------------
christiaanswanepoel's Profile: https://forums.netiq.com/member.php?userid=10782
View this thread: https://forums.netiq.com/showthread.php?t=54607

Labels (1)
0 Likes
2 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: iManager Base Plugin assigns Admin rights to any user

I presume you are using Role-Based Services (RBS) within iManager, right?

If so, and if your tree is setup properly, you can grant access to RBS at
a certain level, specifically at the level where users (but not servers)
exist. The result is that the rights (yes, Supervisor) are granted there,
but since they are not granted above a server or NCP volume object, they
do not flow into the filesystem. You could probably put an IRF on the
server and NCP volume objects to block that too, but it may impact your
helpdesk folks' abilities to do other things.

Another alternative, is that you could grant the Helpdesk role but NOT
assign rights (it's a checkbox when you grant the role rights at a certain
level in the tree, as I recall). As a result, you'll need to grant rights
manually, but you can do that yourself pretty easily (Create to [Entry
Rights] at whatever level of the tree) though you need to manage those
yourself.

Better yet, use something else to manage user creation. Identity Manager
(IDM) is a great way to do this. Using Self-Service Password Reset (SSPR)
is another great way, which means your helpdesk folks do not need iMnager
for creates at all. You may still need to grant other rights, or RBS
roles, for other purposes (standard user changes) but some of those could
also probably be done another way if the requirements are known.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
christiaanswane Absent Member.
Absent Member.

Re: iManager Base Plugin assigns Admin rights to any user


Hi,

This was the type of reply i was looking for! 🙂

Ok, so the tree looks like this:
Tree
-HQ
--Department 1
---Users in Department 1
---Groups in Department 1
--Department 2
--Department 3 etc,
--OES Server located @HQ
-Site1
--Department 1
--OES Servers etc,
-Site2

The problem with giving the helpdesk tasks at "Department 1" level is
that they cannot create users. (because they cant see the File
structure, they cannot create home directory'e on the OES Servers)
allready tried that... and the problem persists

The Custom Plugin and Role approach seems to work correctly, Its just
the attributes that you can select from when creating a plugin (lets
take the User Class) does not contain all the attributes to make the
custom task look and act the same as the "Create user" task in the
iManager Base Plugin.

I dont want to go the route of getting other software sets to do this
task right now, (We are busy re-doing IDM in its entirety). And the main
issue I have is that clearly this was designed to work for Helpdesks...
but it is not working correctly.

What I need is a editable view of the "create user" task that ships with
iManager Base Plugin. Then I can see the attribute's it uses and clone
that...



ab;262214 Wrote:
> I presume you are using Role-Based Services (RBS) within iManager,
> right?
>
> If so, and if your tree is setup properly, you can grant access to RBS
> at
> a certain level, specifically at the level where users (but not
> servers)
> exist. The result is that the rights (yes, Supervisor) are granted
> there,
> but since they are not granted above a server or NCP volume object,
> they
> do not flow into the filesystem. You could probably put an IRF on the
> server and NCP volume objects to block that too, but it may impact your
> helpdesk folks' abilities to do other things.
>
> Another alternative, is that you could grant the Helpdesk role but NOT
> assign rights (it's a checkbox when you grant the role rights at a
> certain
> level in the tree, as I recall). As a result, you'll need to grant
> rights
> manually, but you can do that yourself pretty easily (Create to [Entry
> Rights] at whatever level of the tree) though you need to manage those
> yourself.
>
> Better yet, use something else to manage user creation. Identity
> Manager
> (IDM) is a great way to do this. Using Self-Service Password Reset
> (SSPR)
> is another great way, which means your helpdesk folks do not need
> iMnager
> for creates at all. You may still need to grant other rights, or RBS
> roles, for other purposes (standard user changes) but some of those
> could
> also probably be done another way if the requirements are known.
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...



--
christiaanswanepoel
------------------------------------------------------------------------
christiaanswanepoel's Profile: https://forums.netiq.com/member.php?userid=10782
View this thread: https://forums.netiq.com/showthread.php?t=54607

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.