Creating a User Policy Package | Novell ZENworks for Desktops 4 Administrators Handbook

In order to create a policy that affects users who are logging into the tree through workstations, you need to create a User Policy Package. To create a User Policy Package, do the following:

Start ConsoleOne.
Browse to the container where you want to have the policy package. Make sure you have the container where you want the policy package selected in ConsoleOne. Remember that you do not have to create the policy package in the container where you are doing the associations. You can associate the same policy package to many containers in your tree.
Create the policy package by right-clicking and choosing New, Policy Package or by selecting the Policy Package icon on the toolbar.
Select the User Package object in the wizard panel and press Next.
Enter the desired name of the package in the Policy Package Name field and select the container where you want the package to be located. The container field is already filled in with the selected container so you should not have to browse to complete this field. If you do need to browse, press the Browser button next to the field and find the container where you want the policy object stored. Press Next.
Select the Define Additional Attributes field in order to go into the properties of your new object and activate some policies. Press Finish.
Check and set any policies you desire for this User Policy Package and press OK.

The following subsections describe each of the fields and property pages that are available in the User Policy Package.

Policies Property Page

All of the user policies are activated within the policies property page. Initially, the page is on the general policies. As other platforms are selected, additional policies are displayed. You can select which platform to display by clicking the word Policies in the tab. This activates a drop-down menu that allows you to select which platform-specific page you want to display, (see Figure 8.1).

Figure 8.1. User Policy Package policies property page with drop-down menu.

graphics/08fig01.jpg

The following sections discuss briefly each of the policy pages; subsequent sections cover the specifics of each policy.

General Policies

When you first go into the properties of the User Policy Package, you are presented with the Policy Property page. The policy page first displays the general category. All of the policies that are activated in the general category are active for all platforms supported by ZENworks for Desktops and associated with the logged in user.

Figure 8.2 shows a snapshot of the initial property page of the User Policy Package.

Figure 8.2. User Policy Package policies general property page.

graphics/08fig02.jpg

As you can see from Figure 8.2, only the Remote Control Policy and the iPrint Policy are available to all of the platforms supported by ZENworks for Desktops 4. The Remote Control Policy and iPrint Policy are discussed later in this chapter.

In order to activate a policy, you simply need to check it. You can then go into the details of the policy and set additional configuration parameters on that specific policy.

Win95-98 Policies

Within the policies tab, you can select the Windows 95-98 policy page. This page displays the policies that are available for your Windows 98 users. These policies include the Windows Desktop Preferences policy, Remote Control policy, iPrint Policy, and the User Extensible policies. See Figure 8.3 for a sample of the Win95-98 policies page.

Figure 8.3. User Policy Package Win95-98 policies property page.

graphics/08fig03.jpg

As you can see, the Remote Control policy is under the general and the Win95-98 policies page. When you select a policy in the Win95-98 page it supercedes any selections made on the General tab. The policies are not merged; only the platform-specific policy is used instead of the policy set in the general category. Also, only the policies selected in the platform-specific tab are used in place of the general policies. For example, if the remote control policy is selected in the General tab and is not selected in the Win95-98 tab, when an associated user logs into a Windows 98 system, the general remote control policy is activated for that user.

WinNT Policies

Within the policies tab you can select the Windows NT policy page. This page displays the policies for Windows NT users. These policies include the Novell iPrint policy, Dynamic Local User policy, Windows Desktop Preferences policy, Remote Control policy, and the User Extensible policies. See Figure 8.4 for a sample of the WinNT policies page.

Figure 8.4. User Policy Package WinNT policies property page.

graphics/08fig04.jpg

As with the Win95-98 properties page, you can see the Remote Control policy is under the general and the WinNT policies page. When you select a policy in the WinNT page, it supercedes any selections made on the General tab for that platform. The policies are not merged; only the platform-specific policy is used instead of the policy set in the general category. Also, only the policies selected in the platform-specific tab are used in place of the general policies. For example, if the remote control policy is selected in the general tab and is not selected in the WinNT tab, when an associated user logs into a Windows NT system, the general remote control policy is activated for that user.

Win-2000 Policies

Within the policies tab you can select the Windows 2000 policy page. This page displays the policies for your Windows 2000 users. These policies include the Dynamic Local User policy, Windows Desktop Preferences policy, Novell iPrint policy, Remote Control policy, User Extensible policies, and the Windows Group Policy. See Figure 8.5 for a sample of the Win2000 policies page.

Figure 8.5. User Policy Package Win2000 policies property page.

graphics/08fig05.jpg

Note that the Remote Control policy is under the general and the Win2000 policies page. When you select a policy in the Win2000 page, it supercedes any selections made on the general tab for that platform.

WinXP Policies

Within the policies tab you can select the Windows XP policy page. This page displays the policies that are available for your Windows XP users. These policies include the Dynamic Local User policy, Novell iPrint policy, Windows Desktop Preferences policy, Remote Control policy, and the Windows Group Policy. See Figure 8.6 for a sample of the WinXP policies page.

Figure 8.6. User Policy Package WinXP policies property page.

graphics/08fig06.jpg

You can see the Remote Control policy is under the general and the WinXP policies page. When you select a policy in the WinXP page it supercedes any selections made on the General tab for that platform.

Win2000 Terminal Server Policies

Within the policies tab, you can select the Windows 2000 Terminal Server policy page. This page displays the policies that are available for your Windows 2000 Terminal Server users. These policies include the Dynamic Local User policy, Novell iPrint policy, Windows Desktop Preferences policy, Remote Control policy, User Extensible policies, and the Windows Terminal Server Policy. See Figure 8.7 for a sample of the Win2000 Terminal Server policies page.

Figure 8.7. User Policy Package Win2000 Terminal Server policies property page.

graphics/08fig07.jpg

You can see the Remote Control policy is under the general and the Win2000 Terminal Server policies page. When you select a policy in the Win2000 Terminal Server page, it supercedes any selections made on the general tab for that platform, as described in earlier sections.

WinXP Terminal Server Policies

Within the policies tab, you can select the Windows XP Terminal Server policy page. This page displays the policies for your Windows XP Terminal Server users. These policies include the Dynamic Local User policy, Novell iPrint policy, Windows Desktop Preferences policy, Remote Control policy, User Extensible policies, and the Windows Terminal Server Policy. See Figure 8.8 for a sample of the WinXP Terminal Server policies page.

Figure 8.8. User Policy Package WinXP Terminal Server policies property page.

graphics/08fig08.jpg

You can see the Remote Control policy is under the general and the WinNT Terminal Server policies page. When you select a policy in the WinXP Terminal Server page it supercedes any selections made on the general tab for that platform, as described in previous sections.

Associations Property Page

The Associations Page of the Windows User Policy Package displays all of the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where the policy package is located in the directory. The Windows users who are in or below those containers have this policy package enforced. Choosing the Add or Remove buttons allows you to add or remove containers in the list that are associated with this policy.

NDS Rights Property Pages

The NDS Rights property page is made up of three sections. You can get to each of the pages by clicking on the small triangle to the right of the page name, and then selecting the desired page to be displayed.

These pages allow you to specify the rights that users have to this object. The following subsections discuss briefly each of these pages. These NDS Rights pages are displayed for every object in the tree.

Trustees of This Object Page

On this page you can grant objects rights as trustees of the User Policy Package. These trustees have rights to this object or to attributes within this object.

When you assign a container as a trustee of an object, everyone in that container or subcontainer has some rights to this object. To view the details of any trustee assignment (in order to modify the assignment), you need to choose the Assigned Rights button.

When you choose the Assigned Rights button, you are presented with a dialog box that allows you to select either [All Attribute Rights] (meaning all of the attributes of the object) or [Entry Rights] (meaning the object, not implying rights to the attributes).

From within the assigned rights dialog box, you can set the rights for the object on this package. You can set those rights on the object as well as any individual property in the object. The rights that are possible are the following:

Browse Although not in the list, this right shows up from time to time (especially in the effective rights screens). This represents the capability to view this information through public browse capabilities.
Supervisor This right identifies that the trustee has all rights, including delete, for this object or attribute.
Compare This right provides the trustee with the capability to compare values of attributes.
Read This right allows the trustee to read the values of the attribute or attributes in the object.
Write This right provides the trustee with the capability to modify the contents of an attribute.
Add Self This right allows the trustee to add himself as a member the list of objects of the attribute. For example, if this right were given to an attribute that contains a list of linked objects, the trustee could add himself (a reference to their object) into the list.

If you want to add the object as a trustee to an attribute, choose the Add Property button to bring up a list of properties or attributes that are available for this object.

From this list, you can select a single attribute. This attribute is then displayed in the Assigned Rights dialog box. From there you can select the attribute and then set the rights you want the trustee to have for that property. A user does not require object rights in order to have rights on a single attribute in the object.

Remember that rights flow down in the tree. If you give user rights at a container level, those rights continue down into that container and any sub-containers until that branch is exhausted or until another explicit assignment is given for that user in a sub-container or on an object. An explicit assignment changes the rights for the user at that point in the tree. You can also use inherited rights filters to restrict the flow of rights down into the tree.

Inherited Rights Filters Page

This page allows you to set the IRF (Inherited Rights Filter) for this object. This filter restricts the rights of any user who accesses this object, unless that user has an explicit trustee assignment for this object.

You can think of the IRF as a filter that lets only items checked pass through unaltered. Rights that bump up against an IRF filter are blocked and discarded if the item is not checked. For example, consider a user who has write privileges inherited at some point above the current container (they were explicitly granted that right at some container at or above the one we're in). This user runs into an IRF for an object or attribute that has the write privilege revoked (that is, unchecked). When the user got to that object, their write privilege would be gone for that object. If the object were a container, the user would lose write privileges for all objects in that container or sub-container.

You can effectively remove supervisor privileges to a portion of the tree by setting an IRF with the supervisor privilege turned off. You must be careful not to do this without someone being assigned as the supervisor of that branch of the tree (given an explicit supervisor trustee assignment at the container where the IRF is done) or you'll make that part of the tree permanent (that is, you can't ever delete any objects in that branch of the tree).

ConsoleOne helps prevent you from performing this action. It shows an error dialog box that keeps you from doing this without having first given an explicit supervisor assignment on the same container.

The Effective Rights Page

The Effective Rights property page allows you to query the system to discover the rights that selected objects have on the object you are administering.

Within this page, you are presented with the Distinguished Name (DN) of the object whose rights you want to observe. Initially, this is your currently logged in user running ConsoleOne. You can use the Browse button to the right of the trustee field and browse throughout the tree to select any object.

When the trustee object is selected, you can then move to the properties table on the lower half of the screen. As you select the property, the box to the right changes to reflect the rights that the trustee has on that property. These rights may be via an explicit assignment or through inheritance.

Other Property Page

This page might not be displayed for you, depending on your rights to the plug-in that now comes with ConsoleOne.

WARNING

This page is particularly powerful. People who do not have an intimate knowledge of the schema of the object in question and its relationships with other objects in the directory should avoid using this page.

The intention of this property page is to give you generic access to properties that you cannot modify or view via the other plugged-in pages. The attributes and their values are displayed in a tree structure, allowing for those attributes that have multiple types (are compound types that consist of, say, an integer and a distinguished name, or postal code that has three separate address fields).

Every attribute in eDirectory is defined by one of a specified set of syntaxes. These syntaxes identify how the data is stored in eDirectory. For this page, ConsoleOne has developed an editor for each of the syntaxes currently available in eDirectory. When an attribute is displayed on this page, the editor displays the data and modifies when the user clicks the specific attribute.

For example, if the syntax for an attribute were a string or an integer, an in-line editor is launched, thus allowing the administrator to modify the string or the integer value on the screen. More abstract syntaxes such as octet-string require that an octet editor be launched, thus giving the administrator access to each of the bytes in the string, without interpretation of the data.

The danger with this screen is that some applications require that there be a coordination of attribute values between two attributes within the same object or across multiple objects. Additionally, many applications assume that the data in the attribute is valid, because the normal user interface checks for invalid entries and does not allow them to be stored in the attribute. If you should change a data value in the other page, no knowledge of related attributes, objects, or valid data values are checked because the generic editors know nothing about the intention of the field. Should you change a value without making all the other appropriate changes, some programs, and the system, could be affected.

Rights are still in effect in the Other property page. You cannot change any attribute values that are read-only, or change any values that you do not have rights to modify.

Rights to Files and Folders Property Page

This page in the property book is present in all objects in the directory. This property page allows you to view and set rights for this object for specific files and folders on that volume.

You must first select the volume that contains the files and folders in which you are interested. You can do this by pressing the Show button on the right and then browsing the directory to the volume object. Selecting the volume object places it in the volumes view. When that volume is selected you can use the Add button to add a file or folder of interest. This brings up a dialog box allowing you to browse to the volume object. Clicking on the volume object moves you into the file system. You can continue browsing that volume until you select the file or directory you are interested in granting rights.

Selecting the file or folder in the lower pane displays the rights that the object has been granted on that file or folder. To modify the rights, simply choose them to turn them on or off.

You can also see the effective rights that the object has on the files by pressing the Effective Rights button. This displays a dialog box, allowing you to browse to any file in the volume. The object's effective rights are displayed (in bold). These effective rights include any explicit and inherited rights from folders higher in the file system tree. Remember that anyone with supervisor rights to the server or volume automatically has supervisor rights in the file system.