iManager | Novell Open Enterprise Server Administrators Handbook, SUSE LINUX Edition

OES Linux includes iManager 2.5, a web-based tool for administering, managing, and configuring OES components, services, and eDirectory objects. iManager allows Role Based Services (RBS) to give you a way to focus the user on a specified set of tasks and objects as determined by the user's role(s). What users see when they access iManager is based on their role assignments in eDirectory.

iManager has been architected to leverage Novell's exteNd web services platform, and is in effect a management portal for Novell's products and services. It runs on Apache Web Server. For more information on Apache Web Server, see Chapter 14, "OES Web Foundations."

Although other management tools, such as ConsoleOne, can be used to administer specific components of OES Linux, nearly all management tasks can be done through iManager. Among other things, you can define management roles to administer Linux User Management (LUM), iPrint, iFolder, IP address management, and perform eDirectory object management. iManager is the preferred management platform for OES Linux.

Installing iManager

In some OES Linux installations and patterns, iManager will not be installed automatically. If you did not select to install iManager during the server installation, it can be manually reinstalled through YaST, or the command line. To install iManager via YaST, complete the following steps:

1.	Access YaST from a terminal using `yast`, or from a graphical environment using `yast2` or the YaST launcher from the application menu.
2.	Select the Network Services category in YaST. From within this category, locate and select the iManager module. This module will detect that the RPMs for iManager are missing and ask if you want to install them. Select Continue to install the necessary packages.
3.	At the conclusion of the software installation, `SuSEconfig` is executed to update the system configuration. When this completes, the configuration of the iManager will begin automatically.
4.	At the iManager Configuration screen, enter the following information and click Next: eDirectory Tree Enter the name of the eDirectory tree iManager will be servicing. FDN Admin Name with Context Enter the eDirectory administrators credentials using fully qualified dot notation, for example, `cn=admin.o=novell`.
5.	The iManager configuration is now saved, and necessary iManager plug-ins are automatically installed. Depending on the OES components installed, this step can take some time.
6.	In order for iManager to be active, select to restart Apache and Tomcat when prompted.

When you've installed iManager, you can open it from its URL, using either HTTP or HTTPS, at <server IP address>/nps/iManager.html. You will be required to authenticate in order to access iManager, and will have access to only those features to which you have rights. For full access to all iManager features, authenticate as a user with Supervisory rights to the eDirectory tree (see Figure 5.2).

Figure 5.2. The iManager 2.5 home page.

You can also open iManager in Simple mode, suitable for compliance with Federal accessibility guidelines. It provides the same functionality as Regular mode, but with an interface optimized for accessibility by those with disabilities (for example, expanded menus for blind users who rely upon spoken commands). To use Simple mode, replace iManager.html with Simple.html in the iManager URL. For example:

https://www.quills.com/nps/Simple.html

https://192.168.1.100/nps/Simple.html

Using either interface, you will have access to only those features to which you have rights. For full access to all iManager features, authenticate as a user with Supervisory rights to the eDirectory tree.

iManager Basics

As shown in Figure 5.2, iManager is organized into three main sections, or frames:

Header frame The Header frame is located at the top of the screen. Its buttons provide access to the various "views," or content categories, available through iManager, as well as an Exit link to close the browser window.
Navigation frame The Navigation frame is located on the left side of the screen. It allows you to navigate among the various management tasks associated with the selected iManager view. What you see is further constrained by the rights of your authenticated identity.
Content frame The Content frame occupies the middle-right part of the screen. When you select a link in the Header or Navigation frames, the appropriate information is displayed in the Content frame.

TIP

If you see the Looking Glass icon next to a field in iManager, you can use it to browse or search the tree for specific objects to use in creating, defining, and assigning roles.

Role-Based Management with iManager

Role-Based Services (RBS) allow administrators to assign users a management role. A role is a specific set of functions, or tasks, that the user is authorized to perform. After users have been given a role, or roles, what they see and have access to in iManager is based on their role assignments. Only the tasks assigned to the authenticated user are displayed.

Compared to older iManager versions on NetWare or Linux, RBS has been significantly expanded in iManager 2.5. RBS now offers very robust configuration and assignment of network management responsibilities. RBS is configured through iManager, and all RBS-related information is maintained in a set of RBS objects in eDirectory. These object types include the following:

RBS Collection A container object that holds a set of RBS modules that will be assigned to a given portion of your eDirectory tree.
RBS Module A container inside the RBS collection that organizes available RBS Tasks and Books into functional groups. RBS modules let you assign users responsibility for specific functionality within a product or service.
RBS Role Specifies the tasks that users (members) are authorized to perform. Defining a role includes creating an RBS Role object and linking it to the tasks that the role can perform. RBS roles can be created only in an RBS Collection container.
RBS Task Represents a specific function, such as resetting login passwords. RBS Task objects are located only in RBS Module containers.
RBS Book Represents written materials associated with a given module, such as manuals, instructions, and so on. RBS books are located only in RBS Module containers.
RBS Scope Represents the context in the tree where a role will be performed, and is associated with RBS Role objects. This object is dynamically created when needed, and automatically deleted when no longer needed.

WARNING

Never change the configuration of an RBS Scope object. Doing so can have very serious consequences and could potentially break the system.

CONFIGURING ROLE-BASED SERVICES

During the iManager installation, the schema of your eDirectory tree was extended to support the RBS object types specified previously. To set up RBS for the first time, complete the following steps in iManager:

1.	In the Header frame, select the Configure button.
2.	In the Navigation frame, open the Role Based Services group and select RBS Configuration.
3.	Select Configure iManager in the Content frame.
4.	Finish applying RBS schema extensions by selecting Next.
5.	Specify the name and location for the RBS Collection and click Next.
6.	In the RBS Modules page, make your desired selections and click Start: Specify the RBS Modules that you want installed in this RBS Collection. Each module provides a different set of management tasks that can be assigned as a group. Specify a scope for the RBS Modules you have selected. The scope specifies the container in which those assigned this management role will be able to perform those management tasks. Select Inheritable if you want the management tasks to be applicable to all subcontainers of the Scope you specify.
7.	When the installation of iManager modules completes, click Close.

Based on your selections, this will create all the appropriate RBS objects in your eDirectory tree. When you have configured your RBS Collection, selecting RBS Configuration in the Navigation frame will open the RBS Configuration task, as shown in Figure 5.3.

Figure 5.3. RBS Configuration page in iManager 2.5.

CONFIGURING RBS

From RBS Configuration you have full control over the structure of your role-based management system, including creating new Collections, adding/deleting Modules within Collections, and creating/assigning Roles to users.

When you install RBS, iManager creates specific relationships between Tasks, Modules, and Roles. However, you can modify task assignments, create customized Roles, or do most anything else you might need in order to align the RBS system to the realities of your network. For example, to assign a Role object to a specific user, complete the following steps in iManager:

1.	In the Header frame, select the Configure button.
2.	In the Navigation frame, open the Role Based Services group and select RBS Configuration.
3.	Select the Collection in which you want to work by clicking its name in the Content frame.
4.	From the Roles tab, select the Role you want to assign and click Actions, Member Associations.
5.	In the Member Associations screen, provide the requested information and click Add. You can repeat this process for as many users as you want. Browse to, or specify, the User object you want to assign to this Role. Specify the scope for which the specified user should have access to the Role. The scope specifies the directory context under which the User can perform the management tasks associated with this Role. By default, the scope will be inheritable, meaning that the Role will be active from that point down in the eDirectory tree for this user.
6.	When finished assigning users to this Role, click OK.

After being assigned to Roles, users will have access to the iManager pages associated with the assigned Role.

RBS is a powerful framework for configuring and managing administrative access to your network. Consider your assignments carefully and you can greatly increase the security of your environment by giving only the level of access necessary for a user to perform his or her job.