----------Role Management-----------------
(1) Add static service role with no permission
cn=ITStaticRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=No Permission Description
iplanet-am-role-type=3
cn=ITStaticRole
objectClass=top
objectClass=iplanet-am-managed-role
objectClass=ldapsubentry
objectClass=nssimpleroledefinition
objectClass=nsmanagedroledefinition
objectClass=nsroledefinition
(2) ITStatic Administrative Role with no permission
cn=ITStaticAdminRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=No Permission Description
iplanet-am-role-managed-container-dn=o=ITOrg,dc=jesswitch,dc=com
iplanet-am-role-type=2
cn=ITStaticAdminRole
objectClass=top
objectClass=iplanet-am-managed-role
objectClass=ldapsubentry
objectClass=nssimpleroledefinition
objectClass=nsmanagedroledefinition
objectClass=nsroledefinition
(3) add static service role with admin permission
cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=Organization Policy Admin Description
iplanet-am-role-type=3
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter="(objectclass=sunismanagedorganization)")(targetattr = "sunRegisteredServiceName") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access Auth Service deny"; deny (add,write,delete) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Organization Admin Role,o=ITOrg,dc=jesswitch,dc=com))))(targetattr = "*")(version 3.0; acl "Organization Policy Admin access allow"; allow (read,search) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
cn=ITStaticServiceAdminPermissionRole
objectClass=top
objectClass=iplanet-am-managed-role
objectClass=ldapsubentry
objectClass=nssimpleroledefinition
objectClass=nsmanagedroledefinition
objectClass=nsroledefinition
o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=modify
inetDomainStatus=Active
o=ITOrg
objectClass=sunISManagedOrganization
objectClass=sunNameSpace
objectClass=top
objectClass=sunManagedOrganization
objectClass=organization
cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=modify
iplanet-am-role-aci-description=Organization Policy Admin Description
iplanet-am-role-type=3
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter="(objectclass=sunismanagedorganization)")(targetattr = "sunRegisteredServiceName") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access Auth Service deny"; deny (add,write,delete) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Organization Admin Role,o=ITOrg,dc=jesswitch,dc=com))))(targetattr = "*")(version 3.0; acl "Organization Policy Admin access allow"; allow (read,search) roledn = "ldap:///cn=ITStaticServiceAdminPermissionRole,o=ITOrg,dc=jesswitch,dc=com";)
cn=ITStaticServiceAdminPermissionRole
objectClass=top
objectClass=iplanet-am-managed-role
objectClass=ldapsubentry
objectClass=nssimpleroledefinition
objectClass=nsmanagedroledefinition
objectClass=nsroledefinition
iplanet-am-role-display-options=actionpeoplecontainerproperties=viewproperties
iplanet-am-role-display-options=actionroleproperties=viewproperties
iplanet-am-role-display-options=actiongroupproperties=viewproperties
iplanet-am-role-display-options=actiongroupcontainerproperties=viewproperties
iplanet-am-role-display-options=actionorganizationalunitproperties=viewproperties
iplanet-am-role-display-options=actionpolicyproperties=fullaccessobject
iplanet-am-role-display-options=actionentityproperties=viewproperties
iplanet-am-role-display-options=actionserviceproperties=fullaccessobject
iplanet-am-role-display-options=actionorganizationproperties=viewproperties
iplanet-am-role-display-options=actionuserproperties=modifyproperties
(4) Add Service Filtered Role with no admin permission
cn=ITFilteredRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=No Permission Description
iplanet-am-role-type=3
nsRoleFilter=(&(uid=*)(uid=inetuser))
cn=ITFilteredRole
objectClass=nsfilteredroledefinition
objectClass=nscomplexroledefinition
objectClass=top
objectClass=ldapsubentry
objectClass=iplanet-am-managed-filtered-role
objectClass=nsroledefinition
objectClass=iplanet-am-managed-role
(5) Add filtered admin permission service role
cn=ITFilteredServiceAdminRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=Organization Admin Description
iplanet-am-role-type=3
nsRoleFilter=(&(uid=*)(objectclass=inetuser))
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///cn=ITFilteredServiceAdminRole,o=ITOrg,dc=jesswitch,dc=com")(targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=ITFilteredServiceAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com))))(targetattr = "nsroledn")(targattrfilters="add=nsroledn:(nsroledn=*,o=ITOrg,dc=jesswitch,dc=com),del=nsroledn:(nsroledn=*,o=ITOrg,dc=jesswitch,dc=com)")(version 3.0; acl "S1IS Organization Admin Role access allow"; allow (all) roledn = "ldap:///cn=ITFilteredServiceAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com))))(targetattr != "nsroledn")(version 3.0; acl "S1IS Organization Admin Role access allow all"; allow (all) roledn = "ldap:///cn=ITFilteredServiceAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
cn=ITFilteredServiceAdminRole
objectClass=nsfilteredroledefinition
objectClass=nscomplexroledefinition
objectClass=top
objectClass=ldapsubentry
objectClass=iplanet-am-managed-filtered-role
objectClass=nsroledefinition
objectClass=iplanet-am-managed-role
o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=modify
inetDomainStatus=Active
o=ITOrg
objectClass=sunISManagedOrganization
objectClass=sunNameSpace
objectClass=top
objectClass=sunManagedOrganization
objectClass=organization
(6) add filtered administrative role
cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=add
iplanet-am-role-aci-description=Organization Policy Admin Description
iplanet-am-role-managed-container-dn=o=ITOrg,dc=jesswitch,dc=com
iplanet-am-role-type=2
nsRoleFilter=(&(uid=*)(objectclass=inetuser))
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter="(objectclass=sunismanagedorganization)")(targetattr = "sunRegisteredServiceName") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Organization Admin Role,o=ITOrg,dc=jesswitch,dc=com))))(targetattr = "*")(version 3.0; acl "Organization Policy Admin access allow"; allow (read,search) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access Auth Service deny"; deny (add,write,delete) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
cn=ITFilteredAdminRole
objectClass=nsfilteredroledefinition
objectClass=nscomplexroledefinition
objectClass=top
objectClass=ldapsubentry
objectClass=iplanet-am-managed-filtered-role
objectClass=nsroledefinition
objectClass=iplanet-am-managed-role
o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=modify
inetDomainStatus=Active
o=ITOrg
objectClass=sunISManagedOrganization
objectClass=sunNameSpace
objectClass=top
objectClass=sunManagedOrganization
objectClass=organization
cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com
persistentSearch-changeType=modify
iplanet-am-role-aci-description=Organization Policy Admin Description
iplanet-am-role-managed-container-dn=o=ITOrg,dc=jesswitch,dc=com
iplanet-am-role-type=2
nsRoleFilter=(&(uid=*)(objectclass=inetuser))
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter="(objectclass=sunismanagedorganization)")(targetattr = "sunRegisteredServiceName") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (read,write,search) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///o=ITOrg,dc=jesswitch,dc=com")(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Top-level Help Desk Admin Role,dc=jesswitch,dc=com)(nsroledn=cn=Organization Admin Role,o=ITOrg,dc=jesswitch,dc=com))))(targetattr = "*")(version 3.0; acl "Organization Policy Admin access allow"; allow (read,search) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access Auth Service deny"; deny (add,write,delete) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
iplanet-am-role-aci-list=o=ITOrg,dc=jesswitch,dc=com:aci: (target="ldap:///ou=services,*o=ITOrg,dc=jesswitch,dc=com")(targetattr = "*") (version 3.0; acl "Organization Policy Admin Role access allow"; allow (all) roledn = "ldap:///cn=ITFilteredAdminRole,o=ITOrg,dc=jesswitch,dc=com";)
cn=ITFilteredAdminRole
objectClass=nsfilteredroledefinition
objectClass=nscomplexroledefinition
objectClass=top
objectClass=ldapsubentry
objectClass=iplanet-am-managed-filtered-role
objectClass=nsroledefinition
objectClass=iplanet-am-managed-role
iplanet-am-role-display-options=actionpeoplecontainerproperties=viewproperties
iplanet-am-role-display-options=actionroleproperties=viewproperties
iplanet-am-role-display-options=actiongroupproperties=viewproperties
iplanet-am-role-display-options=actiongroupcontainerproperties=viewproperties
iplanet-am-role-display-options=actionorganizationalunitproperties=viewproperties
iplanet-am-role-display-options=actionpolicyproperties=fullaccessobject
iplanet-am-role-display-options=actionentityproperties=viewproperties
iplanet-am-role-display-options=actionserviceproperties=fullaccessobject
iplanet-am-role-display-options=actionorganizationproperties=viewproperties
iplanet-am-role-display-options=actionuserproperties=modifyproperties
(7) assign service to role
No comments:
Post a Comment