|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Comment:
(snip) of other "future" reference.
Changes (1)
View page history| {panel:title=Features Under Development|titleBGColor=#F8D583|borderColor=black|bgColor=#FFE4B5} Some of the features documented on this page are not yet available and might be released in the future. {panel} |
| h1. {anchor:ACFAR} Delegated Administrator Overview |
... The Delegated Administrator utility and console let you provision users, groups, domains, and resources in an LDAP directory used by Communications Suite applications such as Messaging Server, Calendar Server, and Instant Messaging. This document describes the following topics: {toc:minLevel=2|maxLevel=2} The following related topic is on a separate page: * [Service Packages] h2. {anchor:ACFAS} Introduction to Delegated Administrator Delegated Administrator provisions the directory to support Messaging Server, Calendar Server, and Instant Messaging. With Delegated Administrator, you can distribute provisioning tasks to lower-level administrators who have the authority to manage specified organizations in the LDAP directory. The power to delegate user administration offers the following advantages: * Distributes among many administrators the potentially time-consuming responsibility for provisioning a large directory. Tens or hundreds of administrators can manage organizations within a directory that may include thousands or millions of users. * Allows you to create organizations in the directory structure that can be managed and provisioned as distinct (or unique) units. These organizations can contain users belonging to customer businesses, corporate departments, or other groups. Delegated Administrator provides two interfaces for provisioning users and organizations in the directory: * [Delegated Administrator Utility|#ACFAT] * [Delegated Administrator Console|#ACFAU] These interfaces are summarized in the sections that follow. h4. {anchor:ACFAT} Delegated Administrator Utility The Delegated Administrator utility is a set of command-line tools for provisioning Messaging Server, Calendar Server, and Instant Messaging organizations, users, groups, and Calendar resources. {info:title=Note} The Delegated Administrator utility does not offer commands for creating the Service Provider roles and organizations described in this book. To create and manage these new roles and organizations, you must use the Delegated Administrator console. {info} You invoke the utility with the {{commadmin}} command. For information about the syntax and options available with the {{commadmin}} utility, see [Delegated Administrator Utility (commadmin) Reference]. h4. {anchor:ACFAU} Delegated Administrator Console The Delegated Administrator console is a graphical user interface (GUI) for provisioning Messaging Server, Calendar Server, and Instant Messaging organizations, users, groups, and Calendar resources. For information on how to use the console, see the Delegated Administrator console online help. h4. {anchor:ACFAV} Delegated Administrator LDAP Attributes Delegated Administrator enables you to provision users by modifying the LDAP directory. You do not need to modify the directory directly. However, it can be useful to understand the Delegated Administrator attributes added to user entries and higher-level nodes in the directory. For information about the LDAP schema object classes and attributes that support Delegated Administrator, see [Communications Suite Delegated Administrator LDAP Object Classes and Attributes]. The [Communications Suite Schema Reference] also defines the object classes and attributes that support the other Communications Suite components: Messaging Server, Calendar Server, Instant Messaging, Address Book, and Communications Express. {anchor:GFGZT} h2. Configuration Choices for LDAP Directory Access, Schema, and Access Manager {panel:|borderColor=#ccc|bgColor=#FFFFCE} The following features documented in this section were introduced in *Delegated Administrator 7:* Direct LDAP access to the directory (no dependence on AM) {panel} {anchor:GFGZK} h3. Direct LDAP Access to the Directory By default, Delegated Administrator accesses the directory through direct LDAP calls. By using direct LDAP access, Delegated Administrator allows the following configuration choices: * You can provision objects in a Schema 1 or Schema 2 directory * You can use Access Manager (Realm mode) with the Communications Suite products (including Delegated Administrator) * You can run Delegated Administrator, and any other Communications Suites product, without installing or using Access Manager To take advantage of these choices, you must * Choose whether to use Schema 1 or Schema 2 when you run the Directory Server Preparation Tool, {{comm_dssetup.pl}} * Select “Direct LDAP access to the directory (DL)” when you run the Delegated Administrator configuration program, {{config-commda}} h3. {anchor:GFHAS} Directory Access Through Access Manager (Legacy Mode) Alternatively, you can configure Delegated Administrator to access the directory using Access Manager in Legacy mode.\\ \\This access method is intended for users of previous releases of Delegated Administrator who are upgrading to the current release and want to continue to use Access Manager in Legacy mode. However, Access Manager (Legacy mode) will be deprecated in a future Access Manager release.\\ \\You configure this access method by choosing “Access Manager LDAP access (AM)” when you run the Delegated Administrator configuration program, {{config-commda}}.\\ \\In the Access Manager (Legacy Mode) access method: * Access Manager (Legacy mode) must be installed. If you choose this access method, Delegated Administrator cannot be configured or run without Access Manager. * Access Manager (Realm mode) cannot be installed. With this access method, Delegated Administrator is not compatible with Access Manager in Realm mode. * The Delegated Administrator server must use the same Web container as Access Manager. The Delegated Administrator configuration program asks for Web container information after it asks for the Access Manager base directory. h3. {anchor:GFHAR} Summary of LDAP Directory Access, Schema, and Access Manager Configuration Choices [Table 1-1|#GFGYP] shows the configurations permitted by Delegated Administrator for LDAP directory access, schema choice, and Access Manager. h6. {anchor:GFGYP} LDAP Directory Access, Schema, and Access Manager Configurations ||LDAP Directory Access||Schema||Access Manager Choice|| |Direct LDAP access|Schema 2|Access Manager (Realm mode)| |Direct LDAP access|Schema 2|Access Manager not installed| |Direct LDAP access|Schema 1|Access Manager (Realm mode)| |Direct LDAP access|Schema 1|Access Manager not installed| |Access Manager (Legacy mode)|Schema 2|Access Manager (Legacy mode)| h2. {anchor:ACFAW} Scenarios for Provisioning Users Depending on your business needs, you can create a simple directory structure managed by a single administrator or a multi-tiered directory hierarchy in which provisioning and management tasks are delegated to lower-level administrators. This section summarizes three scenarios of increasing complexity. It then describes the administrator roles and directory structures Delegated Administrator provides to support the requirements of these scenarios. h4. {anchor:ACFAX} One-Tiered Hierarchy In this scenario, a company or organization might support hundreds or thousands of employees or users. All users are grouped in a single organization. A single administrator role views and manages the entire group. There is no delegation of administrative tasks. [Figure 1-1|#GADQY] shows an example of the administrator role in a single-organization, one-tiered hierarchy. {anchor:GADQY} h6. Administrator Role in a One-Tiered Hierarchy !CommSuite:Communications Suite Attachments^overviewda4.gif|alt="This figure shows the administrator role in a one-tiered hierarchy."! In this one-tiered hierarchy, the administrator is called the Top-Level Administrator (TLA). In the example shown in [Figure 1-1|#GADQY], the TLA directly manages and provisions the users (User1, User2, up to Usern). If you have one organization in your directory, the TLA is the only administrator you need. For more information, see the following sections: * [Directory Structure Supporting a One-Tiered Hierarchy|#ACFBB] * [Top-Level Administrator Role|#ACFBF]s h4. {anchor:ACFAY} Two-Tiered Hierarchy In this scenario, a large company such as an Internet Service Provider (ISP) provides services to businesses. Each business has its own unique domain, which may contain thousands or tens of thousands of users. Instead of relying on a single Top-Level Administrator (TLA) to manage and provision all the domains, this scenario supports the delegation of tasks to lower-level administrators. In a two-tiered hierarchy, the directory contains multiple organizations. A separate organization is created for each hosted domain. Each organization is assigned to an Organization Administrator (OA). The OA is responsible for the users in that organization. An OA cannot view or modify directory information outside the OA’s own organization. [Figure 1-2|#GADRJ] shows an example of the administrator roles in a two-tiered hierarchy. {anchor:GADRJ} h6. Administrator Roles in a Two-Tiered Hierarchy !CommSuite:Communications Suite Attachments^overviewda5.gif|alt="This figure shows the administrator roles in a two-tiered hierarchy."! In the example shown in [Figure 1-2|#GADRJ], the TLA creates and manages OA1, OA2, up to OA_n_. Each OA manages the users in one organization. If you need multiple organizations in your directory, you should create the OAs to administer the organizations and their users. For more information, see the following sections: * [Directory Structure Supporting a Two-Tiered Hierarchy|#ACFBE] * [Top-Level Administrator Role|#ACFBF] * [Organization Administrator Role|#ACFBG] h4. {anchor:ACFAZ} Three-Tiered Hierarchy In this scenario, a company such as an ISP offers services to hundreds or thousands of small businesses, each of which requires its own organization. The ISP may support millions of end-users requiring mail services. Moreover, the ISP may work with third-party resellers who manage the end-user businesses. Each day, dozens of new organizations might have to be added to the directory. In a two-tiered hierarchy, the TLA would have to create all these new organizations. In a three-tiered hierarchy, management tasks are delegated to a second level of administrators. This second level of delegation can ease the management of a large customer base supported by a large LDAP directory. To support this hierarchy, Delegated Administrator introduces a new role, the Service Provider Administrator (SPA). The SPA's scope of authority lies between that of the Top-Level Administrator (TLA) and the Organization Administrator (OA). [Figure 1-3|#GADQD] shows an example of the administrator roles in a three-tiered hierarchy. {anchor:GADQD} h6. Administrator Roles in a Three-Tiered Hierarchy !CommSuite:Communications Suite Attachments^overviewda6.gif|alt="This figure shows the administrator roles in a three-tiered hierarchy."! In a three-tiered hierarchy, the TLA delegates administrative authority to Service Provider Administrators (SPAs). The SPAs can create subordinate organizations for new customers and assign Organization Administrators (OAs) to manage users in those organizations. If you need multiple organizations that are themselves divided into subgroups or organizations, you can use a three-tiered hierarchy that implements the TLA, SPA, and OA roles. For information about the SPA role, see [Service Provider Administrator and Service Provider Organizations]. h2. {anchor:ACFBA} Administrator Roles and the Directory Hierarchy This section shows sample Directory Information Trees that implement one- and two-tiered hierarchies. It then describes the tasks that can be performed by the Top-Level Administrator and Organization Administrator. h4. {anchor:ACFBB} Directory Structure Supporting a One-Tiered Hierarchy When you configure Delegated Administrator by running the configuration program, {{config-commda}}, you create a Top-Level Administrator (TLA) and a default organization. h5. {anchor:ACFBC} One-Tiered Hierarchy: Default Organization Under the Root Suffix By default, the configuration program places the default organization under the root suffix. The Directory Information Tree will look similar to the one shown in [Figure 1-4|#GADQN]. [Figure 1-4|#GADQN] shows a sample Directory Information Tree organized in a one-tiered hierarchy (default configuration). {anchor:GADQN} h6. One-Tiered Hierarchy: Sample Directory Information Tree (default) !CommSuite:Communications Suite Attachments^overviewda3.gif|alt="This figure shows a one-tiered hierarchy: sample directory information tree (default)."! h5. {anchor:ACFBD} One-Tiered Hierarchy: Default Organization at the Root Suffix When you run the configuration program, {{config-commda}}, you can choose to create the default organization at the root suffix instead of under it. For configuration details, see [Configuring the Delegated Administrator Server|CommSuite6:Delegated Administrator 6.4 Initial Configuration#acfcv]. In this situation, the Directory Information Tree will look similar to the one shown in [Figure 1-5|#GADQK]. However, if you create the default organization at the root suffix, this configuration of the LDAP directory cannot support multiple hosted domains. To support hosted domains, the default organization must be under the root suffix. [Figure 1-5|#GADQK] shows a sample one-tiered hierarchy in which the default organization is created at the root suffix. {anchor:GADQK} h6. One-Tiered Hierarchy: Default Organization at Root Suffix !CommSuite:Communications Suite Attachments^overviewda7.gif|alt="This figure shows a one-tiered hierarchy: default organization at the root suffix."! {anchor:ACFBE} h4. Directory Structure Supporting a Two-Tiered Hierarchy After Delegated Administrator has been configured with the {{config-commda}} program, the TLA can create additional organizations, as shown in [Figure 1-6|#GADQR]. [Figure 1-6|#GADQR] shows a sample Directory Information Tree organized in a two-tiered hierarchy. {anchor:GADQR} h6. Two-Tiered Hierarchy: Sample Directory Information Tree !CommSuite:Communications Suite Attachments^overviewda2.gif|alt="This figure shows a two-tiered hierarchy: sample directory information tree."! h4. {anchor:ACFBF} Top-Level Administrator Role The TLA has the authority to perform the following tasks: * Create, delete, and modify organizations.\\ \\In the example shown in [Figure 1-6|#GADQR], the TLA can modify or delete {{siroe.com}} or {{sesta.com}} and can create additional organizations.\\ \\Note that in this example, the two organizations are also unique (hosted) domains. * Create, delete, and modify users. * Create, delete, and modify groups. * Create, delete, and modify Calendar resources. * Assign OA roles to users. For example, the TLA could assign an OA role to the user {{johna}} in the {{siroe.com}} organization.\\ \\The TLA also can remove the OA role from a user. * Assign TLA roles to other users. The TLA also can remove the TLA role from a user. The TLA can perform the preceding tasks by using the Delegated Administrator console or by executing Delegated Administrator utility ({{commadmin}}) commands. For a description of the {{commadmin}} commands, see [Delegated Administrator Utility (commadmin) Reference]. \\ * Assign service packages to organizations.\\ \\For information about service packages, see [Service Packages].\\ \\The TLA can assign specified types of service packages to an organization and determine the maximum number of each package that can be used in that organization.\\ \\For example, the TLA could assign the following service packages: ** In the {{siroe.com}} organization:\\ {{1,000 gold packages}}\\ {{500 platinum packages}}\\ ** In the {{sesta.com}} organization:\\ {{2,000 silver packages}}\\ {{1,500 gold packages}}\\ {{100 platinum packages}}\\ h4. {anchor:ACFBG} Organization Administrator Role The OA has the authority to perform the following tasks within the OA’s organization: * Create, delete, and modify users.\\ \\In the example shown in [Figure 1-6|#GADQR], if the user {{johna}} is assigned the OA role in the {{siroe.com}} organization, {{johna}} can manage users in {{siroe.com}}. * Create, delete, and modify groups. * Create, delete, and modify Calendar resources. * Assign the OA role to other users. * Assign and remove service packages for users. The OA cannot perform any of these tasks for users, groups, or resources outside the OA’s organization.\\ \\For example, if {{johna}} is the OA for {{siroe.com}} in [Figure 1-6|#GADQR], {{johna}} cannot manage users, groups, or resources in {{sesta.com}}.\\ \\The OA can perform the preceding tasks by using the Delegated Administrator console or by executing Delegated Administrator utility ({{commadmin}}) commands.\\ \\For a list of the {{commadmin}} commands available to the OA, see [Table 5-1|http://docs.sun.com/app/docs/doc/819-4438/6n6jdjbjf?a=view#gadrm]. For a description of these commands, see the [Delegated Administrator Utility (commadmin) Reference]. h2. {anchor:ACFBH} For Former Users of iPlanet Delegated Administrator Communications Suite Delegated Administrator is designed for provisioning users in an LDAP Schema 2 directory. Users of previous versions of Messaging Server who have an LDAP Schema 1 directory may have used iPlanet Delegated Administrator, a deprecated tool. If you still have a Schema 1 directory, you should use iPlanet Delegated Administrator to provision users. iPlanet Delegated Administrator uses slightly different terms for the administrator roles than those currently used by Communications Suite Delegated Administrator. [Table 1-1|#GADPS] lists and defines the administrator roles in each version of Delegated Administrator. {anchor:GADPS} h6. Table 1-1 Administrator Roles in iPlanet Delegated Administrator and Communications Suite Delegated Administrator ||iPlanet Delegated Administrator ||Communications Suite Delegated Administrator Utility ||Communications Suite Delegated Administrator Console ||Definition || |Site Administrator|Top-Level Administrator (TLA)|Top-Level Administrator (TLA)|Manages the entire directory supported by Delegated Administrator, including the organizations and users*.| |(None)|(None in this release)|Service Provider Administrator (SPA)|Manages a provider organization, the shared and full business organizations under the provider organization, and users in those business organizations.| |Domain Administrator|Organization Administrator (OA)|Organization Administrator (OA)|Manages one organization and the users in that organization.| |* In this release of Delegated Administrator, the TLA cannot create provider organizations or business organizations under a provider organization.| | | | |