Administrative Roles
While configuring an administrative group member, the root administrator has to explicitly assign an administrative role to the member.
The roles that can be assigned to an administrative member are given below:
- Audit administrator (AuditAdmin) - Members of the administrative
group who are assigned the Audit Administrator role have unrestricted
access to:
- Audit log
- All other server logs
- Default log management settings (cn=Default, cn=Log Management, cn=Configuration)
- Directory Data Administrator (DirDataAdmin) - Members of the administrative group who are assigned this role will gain unrestricted access to all the entries in the RDBM back-end. However, for setting the password attribute of RDBM entries, members will still have to follow the usual password policy rules that are in effect.
- No administrator (NoAdmin) - If the root administrator assigns No Administrator role to the configuration file users, then the users will cease to have any administrative privileges. By defining this role the root administrator can revoke all the administrative privileges of an administrative group member
- Password administrator (PasswordAdmin) - Members of the administrative group who are assigned the Password Administrator role are authorized to unlock other user's accounts or change passwords of users in RDBM back-end. However they are not authorized to change passwords of Global Administrative Group Member accounts although they can unlock their accounts. Also, they are not restrained by password policy constraints that are set on the server. They can also add and delete the userpassword field of entries in RDBM back-end but are not allowed to make changes to users defined in the configuration file. The changes made by users who are assigned this role are not affected by ACLs. However, when users change their own password, the usual administration password policy rules will apply to the new password.
- Replication administrator (ReplicationAdmin) - Members of the administrative group who are assigned the Replication Administrator role are authorized to update replication topology objects. The changes made by members with this role are not affected by ACLs or any other configuration file settings.
- Schema administrator (SchemaAdmin) - Members of the administrative group who are assigned the Schema Administrator role have unrestricted access to schema back-end only.
The following table gives cross references of various extended operations that administrative group members are allowed to issue.
| Extended Operations | Audit Admin | Directory Data Admin | Replication Admin | Schema Admin | Password Admin | No Admin |
|---|---|---|---|---|---|---|
| Start TLS - Request to start Transport Layer Security. OID = 1.3.6.1.4.1.1466.20037 | Yes | Yes | Yes | Yes | Yes | Yes |
| Event Registration - Request registration for events in SecureWay® V3.2 Event support. OID = 1.3.18.0.2.12.1 | Yes | Yes | Yes | Yes | Yes | Yes |
| Event Unregister - Request Unregister for events that were registered for using an Event Registration Request. OID = 1.3.18.0.2.12.3 | Yes | Yes | Yes | Yes | Yes | Yes |
| Begin Transaction - Begin a Transactional context for SecureWay V3.2. OID = 1.3.18.0.2.12.5 | Yes | Yes | Yes | Yes | Yes | Yes |
| End Transaction - End Transactional context (commit/rollback) for SecureWay V3.2. OID = 1.3.18.0.2.12.6 | Yes | Yes | Yes | Yes | Yes | Yes |
| Cascading Control Replication - This operation performs the requested action on the server it is issued to and cascades the call to all consumers beneath it in the replication topology. OID = 1.3.18.0.2.12.15 | No | Yes | Yes | No | No | No |
| Control Replication - This operation is used to force immediate replication, suspend replication, or resume replication by a supplier. This operation is allowed only when the client has update authority to the replication agreement. OID = 1.3.18.0.2.12.16 | No | Yes | Yes | No | No | No |
| Control Replication Queue - This operation marks items as "already replicated" for a specified agreement. This operation is allowed only when the client has update authority to the replication agreement. OID = 1.3.18.0.2.12.17 | No | Yes | Yes | No | No | No |
| Quiesce or Unquiesce Server - This operation puts the subtree into a state where it does not accept client updates (or terminates this state), except for updates from clients authenticated as directory administrators where the Server Administration control is present. OID = 1.3.18.0.2.12.19 | No | Yes | Yes | No | No | No |
| Clear Log Request - Request to Clear log file. OID = 1.3.18.0.2.12.20 | Yes | No | No | No | No | No |
| Get Lines Request - Request to get lines from a log file. OID = 1.3.18.0.2.12.22 | Yes | Yes | Yes | Yes | Yes | No |
| Number of Lines Request - Request number of lines in a log file. OID = 1.3.18.0.2.12.24 | Yes | Yes | Yes | Yes | Yes | No |
| Update Configuration Request - Request to update server configuration for IBM Directory Server. OID = 1.3.18.0.2.12.28 | Yes | No | Yes | No | No | No |
| DN Normalization Request - Request to normalize a DN or a sequence of DNs. OID = 1.3.18.0.2.12.30 | Yes | Yes | Yes | Yes | Yes | Yes |
| Kill Connection Request - Request to kill connections on the server. The request can be to kill all connections or kill connections by bound DN, IP, or a bound DN from a particular IP. OID = 1.3.18.0.2.12.35 | No | Yes | No | No | No | No |
| User Type Request - Request to get the User Type of the bound user. OID = 1.3.18.0.2.12.37 | Yes | Yes | Yes | Yes | Yes | Yes |
| Group Evaluation - This operation is used in a distributed directory environment to determine all groups that a particular DN is a member of. OID = 1.3.18.0.2.12.50 | No | Yes | No | No | No | No |
| Topology Replication - This operation is used to replicate the objects that define the topology of a particular replication context, such as the replication agreements for that context. Any user with update rights to the Replication Group Entry of the context is allowed to issue this extended operation. OID = 1.3.18.0.2.12.54 | No | Yes | Yes | No | No | No |
| Event Update - Request to reinitialize the event notification configuration (this operation can only be initiated by the server, not any user). OID = 1.3.18.0.2.12.31 | No | No | No | No | No | No |
| Log Access Update - Request to reinitialize the log access plugin configuration (this operation can only be initiated by the server, not any user). OID = 1.3.18.0.2.12.32 | No | No | No | No | No | No |
| Unique Attributes - Request to get the duplicate values for an attribute. OID = 1.3.18.0.2.12.44 | No | Yes | No | No | No | No |
| Account Status - This operation is used to determine if an account is locked by password policy. OID = 1.3.18.0.2.12.58 | No | Yes | No | No | No | No |
| Get Attributes Type - Request attributes types. OID = 1.3.18.0.2.12.46 | No | Yes | No | Yes | No | No |
The following table gives cross references of various objects that different administrative group members are allowed to access.
| Audit Settings / Audit logs | RDBM Backend | Replication Objects | Schema Backend | Configuration Backend | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Read | Write | Read | Write | Read | Write | Read | Write | Read | Write | |
| Audit Administrator | Yes | Yes | No** | No | No** | No | Yes | No | Yes | No |
| Directory Data Administrator | No | No | Yes | Yes | Yes | Yes | Yes | No | Yes | No |
| Replication Administrator | No | No | No** | No** | Yes | Yes | Yes | No | Yes | No |
| Schema Administrator | No | No | No** | No | No** | No | Yes | Yes | Yes | No |
| Password Administrator | No | No | No** | Yes** | No** | No | Yes | No | Yes | No |
| No Administrator | No | No | No** | No** | No | No | Yes | No | Yes | No |
- ** - For access to these objects the administrative roles give no special authority, but the user may still have access through normal ACL evaluation.
Note: Proxy will treat the admin group members having any administrative
role as anonymous and will accordingly apply access rules.