Setting Up a Service Location Policy Package | Novell ZENworks for Desktops 4 Administrators Handbook

To create a Service Location Policy Package, do the following:

Start ConsoleOne.
Browse to the container where you want to have the policy package.
NOTE
Remember: You do not have to create the policy package in the container where you are performing the associations. You can associate the same policy package to many containers in your tree.
Create the policy package by right-clicking and choosing New, Policy Package or by selecting the Policy Package icon on the toolbar.
Select the Service Location Policy Package object in the wizard panel and press Next.
Enter the desired name of the package in the Policy Package Name field and select the container where you want the package to be located. The container field is already filled in with the selected container, so you should not have to browse to complete this field. If it's not filled in, press the Browse button next to the field, and then select the container where you want the policy object stored. Press Next.
Select the Define Additional Attributes field. You can activate some policies in your new object. Press Finish.
Check and set any policies you desire for this Service Location Policy Package, and then press OK.

The following sections describe the options available in the Service Location Policy Package.

Policies Tab

All the user policies are activated within the Policies tab on the Location Policy page. Initially, the Policies tab displays the General panel. In the Service Location Policy Package, no platform-specific policies currently exist. Therefore, no drop-down menu is present on the Policies tab. The Policies tab lists the set of available policies (see Figure 11.1).

Figure 11.1. The Policies tab of the Service Location Package page.

graphics/11fig01.jpg

Once you have created a Service Location Policy Package, you can activate policies. By clicking on a policy within the policy package, that policy becomes active. You can modify the details of any particular policy by selecting the policy and then pressing the Properties button.

The Reset button on the policies page resets the selected policy to the system defaults.

Associations Tab

The Associations tab of the Service Location Policy Package page displays all of the locations in the tree (containers) where the policy package has been associated. These associations do not necessarily reflect where the policy package is located in the directory. The agents associated with users or workstations in or below those containers have this policy package enforced.

The Add and Remove buttons enable you to add or remove containers in the list that are associated with this policy.

NDS Rights Tab

The NDS Rights tab is made up of three panels. You can get to each of these panels by clicking on the small triangle to the right of the tab's name, and then selecting the desired panel.

These panels enable you to specify the rights that users have to this object in the directory. The following sections discuss briefly each of these panels, which are displayed for every object in the tree.

Trustees of This Object Panel

Here you can assign objects rights as trustees of the Service Location Policy Package. These trustees have rights to this object or to attributes within this object.

If the user admin.novell has been added to the trustee list, this user has some rights to this object. To view the details of any trustee assignment (in order to modify the assignment), you need to:

Select the user you want to modify and then press the Assigned Rights button. You are presented with a dialog box.
In the dialog box, you can select All Attribute Rights (meaning all of the attributes of the object) or Entry Rights (meaning the object, not implying rights to the attributes).
From within the Assigned Rights dialog box, you can set the rights the object has on this package. You can set those rights on the object as well as any individual property in the object. The possible attribute rights are as follows:
- Browse Although not in the list, this right shows up from time to time (especially in the Effective Rights screens). This enables you to view this information through public browse capabilities.
- Supervisor This right identifies that the trustee has all rights, including delete, to this object or attribute.
- Compare This provides the trustee with the capability to compare values of attributes.
- Read This right enables the trustee to read the values of the attribute or attributes in the object.
- Write This right provides the trustee with the capability to modify the contents of an attribute.
- Add Self This right enables trustees to add themselves as members of the list of objects of the attribute. For example, if this right were given on an attribute that contains a list of linked objects, a trustee could be added into the list.
If you want to add the object as a trustee to an attribute, you need to select the Add Property button to bring up a list of properties or attributes that are available for this object.
From this list, you can select a single attribute. This attribute is then displayed in the Assigned Rights dialog box.
From the Assigned Rights dialog box, you can select the attribute and then set the rights you want the trustee to have for that property.

NOTE

A user does not require object rights in order to have rights on a single attribute in the object.

Remember that rights flow down in the tree. If you give a user or an object rights at a container level, those rights continue down into that container and any sub-containers until that branch is exhausted or another explicit assignment is given for that user in a sub-container or on an object. An explicit assignment changes the user's rights at that point in the tree. You can also use inheritance rights filters to restrict the flow of rights down into the tree.

Inherited Rights Filters Panel

This panel enables you to set the IRF (Inherited Rights Filter) for this object. This filter restricts the rights of any user who accesses this object, unless that user has an explicit trustee assignment for this object.

You can think of the IRF as a filter that lets only checked items pass through unaltered. Rights that bump up against an IRF are blocked and discarded if the item is not checked. For example, consider a user who has write privileges inherited at some point above the current container (explicitly granted at some container at or above the one in question). That user runs into an IRF for an object or attribute that has the write privilege revoked (that is, unchecked). When the user gets to that object, his write privilege would be gone for that object. If the object is a container, the user loses write privileges for all objects in that container or sub-container.

You can effectively remove supervisor privileges from a portion of the tree by setting an IRF with the supervisor privilege turned off. You must be careful not to do this without someone being assigned as the supervisor of that branch of the tree (given an explicit supervisor trustee assignment at the container where the IRF is done). Otherwise, you'll never be able to delete or modify any objects in that branch of the tree.

ConsoleOne helps prevent you from performing this action by giving you an error dialog box that keeps you from putting an IRF on the entry rights of the object, without having first given an explicit supervisor assignment on the same container.

Effective Rights Panel

The Effective Rights panel enables you to query the system to discover the rights that selected objects have on the object you are administering.

Within this panel, you are presented with the Distinguished Name (DN) of the object whose rights you want to observe. Initially, this is your currently logged in user running ConsoleOne. You can press the Browse button to the right of the trustee field and browse throughout the tree to select any object.

When the trustee object is selected, you can then move to the properties table on the lower half of the screen. As you select the property, the rights box changes to reflect the rights that the trustee has on that property. These rights can be gained via an explicit assignment or through inheritance.

Other Tab

This tab might not be displayed for you, depending on your rights to the plug-in that now comes with ConsoleOne. The intention of this tab is to give you generic access to properties you cannot modify or view via the other plugged-in pages.

The attributes and their values are displayed in a tree structure, allowing for those attributes that have multiple types, such as compound types consisting of an integer and a distinguished name, or postal codes that have three separate address fields.

WARNING

The options on this tab are particularly powerful. People who do not have an intimate knowledge of the schema of the object in question and its relationships with other objects in the directory should avoid these options.

Every attribute in eDirectory is defined by one of a specified set of syntaxes. These syntaxes identify how the data is stored in eDirectory. For this tab, ConsoleOne has developed an editor for each of the different syntaxes currently available in eDirectory. When an attribute is displayed on this tab, the editor displays the data and then modifies it should the user click the specific attribute.

For example, if the syntax for an attribute were a string or an integer, an in-line editor is launched. This editor enables the administrator to modify the string or the integer value on the screen. More abstract syntaxes, such as octet-string, require that an octet editor be launched, thus giving the administrator access to each of the bytes in the string, without interpretation of the data.

The danger with this screen is that some applications require that there be a coordination of attribute values between two attributes within the same object or across multiple objects. Additionally, many applications assume that the data in the attribute is valid, because the normal user interface checks for invalid entries and does not enable them to be stored in the attribute. If you should change a data value on the Other tab, no knowledge of related attributes, objects, or valid data values are checked, because the generic editors know nothing about the intention of the field. Should you change a value without making all the other appropriate changes or without putting in a valid value, some programs and the system could be affected.

Rights are still in effect on the Other tab, and you are not allowed to change any attribute values that are read-only or that you do not have rights to modify.

Rights to Files and Folders Tab

This tab is present in all objects in the directory. It enables you to view and set rights of the files and folders on the volume in question. To set such rights, use the following steps:

First select the volume that contains the files and folders in which you are interested. You can do this by pressing the Show button, and then browsing the directory to the volume object.
Selecting the volume object places it in the volumes view. When that volume is selected, you can then choose the Add button to add a file or folder of interest.
This brings up a dialog box enabling you to browse to the volume object; clicking the volume object moves you into the file system. You can continue browsing that volume until you select the file or directory to which you are interested in granting rights.
Selecting the file or folder in the lower pane displays the rights that the object has been granted on that file or folder. To modify the rights, simply click on or off the rights that you want to have explicitly granted for the object.
You can also see the effective rights that the object has on the files by pressing the Effective Rights button. This displays a dialog box that enables you to browse to any file in the volume. The object's effective rights are displayed (in bold). These effective rights include any explicit and inherited rights from folders higher in the file system tree.

NOTE

Remember that anyone who has supervisor rights to the server or volume objects automatically gets supervisor rights in the file system.