Home

Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: create groups but not users in a container ITCOM

  1. #1
    Greg Taylor NNTP User

    create groups but not users in a container ITCOM

    I have a group of user called deptadmins.

    We want them to perform certain actions in a container. We have decided
    against Console 1.
    I am trying to give them rights, to change users names, telephone
    numbers and group memberships, simple things this went OK.
    My problem is that I do not want them to be able to create new users,
    but I do want them to be able to create groups. Is this possible ? I
    have been trying with trustee of the object, and assigned rughts, am I
    in the correct place ?

    Thanks in advance Greg

  2. #2
    craig wilson NNTP User

    Re: create groups but not users in a container ITCOM

    This is not possible really w/o 3rd party tools such as DSRazor.

    There are ways to create Roles in Imanager that may do this, but often
    this grants users permissions to do things outside of Imanager (C1 for
    example) that you may not expect.


    Greg Taylor wrote:
    > I have a group of user called deptadmins.
    >
    > We want them to perform certain actions in a container. We have decided
    > against Console 1.
    > I am trying to give them rights, to change users names, telephone
    > numbers and group memberships, simple things this went OK.
    > My problem is that I do not want them to be able to create new users,
    > but I do want them to be able to create groups. Is this possible ? I
    > have been trying with trustee of the object, and assigned rughts, am I
    > in the correct place ?
    >
    > Thanks in advance Greg



    --
    Craig Wilson
    Novell Product Support Forum Sysop
    Master CNE, MCSE 2003, CCN

  3. #3
    Christine Malik NNTP User

    Re: create groups but not users in a container ITCOM

    We have different products that can handle this differently. Our DSMETER
    product allows you to create security granularity profiles to control which
    object classes certain users/groups/orgroles can create and/or delete. For
    each object class (user, group, printer, etc) you can specify whether they
    are allowed to create or delete or both or neither. Our DSRAZOR product
    allows you to give the helpdesk staff a custom EXE that only allows them to
    do the functions you want such as creating groups and changing user phone
    numbers. We offer personalized web demos where we can show you in your
    browser the features of both DSMETER and DSRAZOR to see which one may be a
    better fit for your overall needs. You can also get a 30-day evaluation of
    DSMETER or a 7-day evaluation of DSRAZOR from:
    http://www.visualclick.com/?source=060506objectclass


    "craig wilson" <craig_d_wilson@yahoo.com> wrote in message
    news:vCXgg.3803$8_3.1579@prv-forum2.provo.novell.com...
    > This is not possible really w/o 3rd party tools such as DSRazor.
    >
    > There are ways to create Roles in Imanager that may do this, but often
    > this grants users permissions to do things outside of Imanager (C1 for
    > example) that you may not expect.
    >
    >
    > Greg Taylor wrote:
    >> I have a group of user called deptadmins.
    >>
    >> We want them to perform certain actions in a container. We have decided
    >> against Console 1.
    >> I am trying to give them rights, to change users names, telephone numbers
    >> and group memberships, simple things this went OK.
    >> My problem is that I do not want them to be able to create new users, but
    >> I do want them to be able to create groups. Is this possible ? I have
    >> been trying with trustee of the object, and assigned rughts, am I in the
    >> correct place ?
    >>
    >> Thanks in advance Greg

    >
    >
    > --
    > Craig Wilson
    > Novell Product Support Forum Sysop
    > Master CNE, MCSE 2003, CCN




  4. #4
    David Gersic NNTP User

    Re: create groups but not users in a container ITCOM

    On Mon, 05 Jun 2006 13:55:14 GMT, Greg Taylor <taylorg@ilo.org> wrote:

    >My problem is that I do not want them to be able to create new users,
    >but I do want them to be able to create groups. Is this possible ?


    Nope. Not so far. eDirectory "Create" rights is for all object types. This is
    still something that Novell need to do as an enhancement to eDirectory. Please
    go to the Enhancements Request web page and put in your vote for more granular
    ACLs to allow for things like "Create Group" or "Create All Except for User" to
    be set up in the directory.

    In the mean time, if you're using IDM2 or IDM3, I've been working on a set of
    IDM Policies you might find interesting. They won't stop the create, but they
    can be used to react to unauthorized creates to do something else (remove the
    account, disable the account, send email to your security officer, etc.). Post a
    query in the novell.support.identity-manager.engine-drivers newsgroup if you're
    interested in something like this.


    ---------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu

    I'm tired of receiving rubbish in my mailbox, so the E-mail address is
    munged to foil the junkmail bots. Humans will figure it out on their own.

  5. #5
    craig wilson NNTP User

    Re: create groups but not users in a container ITCOM

    Nice Idea David.

    David Gersic wrote:
    > On Mon, 05 Jun 2006 13:55:14 GMT, Greg Taylor <taylorg@ilo.org> wrote:
    >
    >> My problem is that I do not want them to be able to create new users,
    >> but I do want them to be able to create groups. Is this possible ?

    >
    > Nope. Not so far. eDirectory "Create" rights is for all object types. This is
    > still something that Novell need to do as an enhancement to eDirectory. Please
    > go to the Enhancements Request web page and put in your vote for more granular
    > ACLs to allow for things like "Create Group" or "Create All Except for User" to
    > be set up in the directory.
    >
    > In the mean time, if you're using IDM2 or IDM3, I've been working on a set of
    > IDM Policies you might find interesting. They won't stop the create, but they
    > can be used to react to unauthorized creates to do something else (remove the
    > account, disable the account, send email to your security officer, etc.). Post a
    > query in the novell.support.identity-manager.engine-drivers newsgroup if you're
    > interested in something like this.
    >
    >
    > ---------------------------------------------------------------------------
    > David Gersic dgersic_@_niu.edu
    >
    > I'm tired of receiving rubbish in my mailbox, so the E-mail address is
    > munged to foil the junkmail bots. Humans will figure it out on their own.



    --
    Craig Wilson
    Novell Product Support Forum Sysop
    Master CNE, MCSE 2003, CCN

  6. #6
    Edward van der Maas NNTP User

    Re: create groups but not users in a container ITCOM

    Greg Taylor wrote:

    > I have a group of user called deptadmins.
    >
    > We want them to perform certain actions in a container. We have
    > decided against Console 1. I am trying to give them rights, to
    > change users names, telephone numbers and group memberships, simple
    > things this went OK. My problem is that I do not want them to be
    > able to create new users, but I do want them to be able to create
    > groups. Is this possible ? I have been trying with trustee of the
    > object, and assigned rughts, am I in the correct place ?


    As Craig already said, this is going to be tricky.
    Those deptadmins need create entry rights and therefore they will be
    able to create all objects. If you could live with that you can then
    give them the property rights to modify usernames, group membership etc.

    If you don't use ConsoleOne what are you using then ? You could do this
    with RBS and iManager.


    --
    Cheers,
    Edward

  7. #7
    David Gersic NNTP User

    Re: create groups but not users in a container ITCOM

    On Mon, 05 Jun 2006 17:15:14 GMT, "Christine Malik" <cmalik@visualclick.com>
    wrote:

    >We have different products that can handle this differently. Our DSMETER
    >product allows you to create security granularity profiles to control which


    Your web site doesn't say how it does this. Is DSMeter acting as a proxy, so
    that the helpdesk users actually have no rights to do anything? Or are you
    handling the eDirectory events and responding to them based on policy decisions?


    ---------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu

    I'm tired of receiving rubbish in my mailbox, so the E-mail address is
    munged to foil the junkmail bots. Humans will figure it out on their own.

  8. #8
    Wolfgang Schreiber NNTP User

    Re: create groups but not users in a container ITCOM

    As the other guys indicated correctly, this will not work straightforward,
    since create rights do not differentiate between various object classes.

    Custom iManager tasks could be an easy workaround, but you'd have to make
    sure that users do not access the tree with other tools (security
    implemented in application layer).

    Secure alternatives would be applications that act as proxy for the user who
    requests the object creation, e.g.:
    * an IDM driver that reacts on custom events
    * an iManager custom java plugin or other (Win/NW/UX) service that uses a
    proxy concept to create the group in behalf of the requesting person.

    Wolfgang

    "Greg Taylor" <taylorg@ilo.org> wrote in message
    news:6JWgg.3746$8_3.305@prv-forum2.provo.novell.com...
    >I have a group of user called deptadmins.
    >
    > We want them to perform certain actions in a container. We have decided
    > against Console 1.
    > I am trying to give them rights, to change users names, telephone numbers
    > and group memberships, simple things this went OK.
    > My problem is that I do not want them to be able to create new users, but
    > I do want them to be able to create groups. Is this possible ? I have been
    > trying with trustee of the object, and assigned rughts, am I in the
    > correct place ?
    >
    > Thanks in advance Greg




  9. #9
    Christine Malik NNTP User

    Re: create groups but not users in a container ITCOM

    The way DSMETER handles this is by being a second and more granular security
    check. First the eDir/NDS privileges are checked by NetWare itself - we
    assume these users will pass through that first security gate since you are
    giving them Create privileges to their own container. Next the request is
    handled by DSMETER.NLM which checks to see if there is a DSMETER Security
    Granularity profile defined that would affect this user (the profile can be
    defined for a user, a group of users, or an org role). If there is a
    DSMETER security granularity profile defined to indicate which object
    classes the user can create/delete, DSMETER checks to see if the type of
    object they are trying to create/delete is allowed by the profile or not.
    If it is not allowed, DSMETER.NLM kills the request. If DSMETER kills the
    request, you can have DSMETER log this event to a log file you can run
    reports on and/or send the user an error message (you can put in custom text
    of the error message). In general, DSMETER.NLM can record what your users
    are doing for auditing/accountability purposes (login/logout, file activity,
    object creation, rights changes, etc) and for certain tasks DSMETER.NLM can
    control/block what they do (examples: security granularity by object class
    and blocking writes or deletes of files such as blocking writing mp3 files
    to your servers). Please feel free to contact us in tech support to answer
    questions or show you a web demo. The tech support contact info is on our
    website:
    http://www.visualclick.com/?source=060506objectclass


    "David Gersic" <dgersic_@_niu.edu> wrote in message
    news:448482a5.21171833@support-forums.novell.com...
    > On Mon, 05 Jun 2006 17:15:14 GMT, "Christine Malik"
    > <cmalik@visualclick.com>
    > wrote:
    >
    >>We have different products that can handle this differently. Our DSMETER
    >>product allows you to create security granularity profiles to control
    >>which

    >
    > Your web site doesn't say how it does this. Is DSMeter acting as a proxy,
    > so
    > that the helpdesk users actually have no rights to do anything? Or are you
    > handling the eDirectory events and responding to them based on policy
    > decisions?
    >
    >
    > ---------------------------------------------------------------------------
    > David Gersic dgersic_@_niu.edu
    >
    > I'm tired of receiving rubbish in my mailbox, so the E-mail address is
    > munged to foil the junkmail bots. Humans will figure it out on their own.




  10. #10
    David Gersic NNTP User

    Re: create groups but not users in a container ITCOM

    On Tue, 06 Jun 2006 19:58:15 GMT, "Christine Malik" <cmalik@visualclick.com>
    wrote:

    >The way DSMETER handles this is by being a second and more granular security
    >check. First the eDir/NDS privileges are checked by NetWare itself - we
    >assume these users will pass through that first security gate since you are
    >giving them Create privileges to their own container. Next the request is
    >handled by DSMETER.NLM which checks to see if there is a DSMETER Security
    >Granularity profile defined that would affect this user (the profile can be
    >defined for a user, a group of users, or an org role).


    Cool. Thanks.

    So, one more follow up question: what do you do when the ring contains servers
    other than NetWare...?


    ---------------------------------------------------------------------------
    David Gersic dgersic_@_niu.edu

    I'm tired of receiving rubbish in my mailbox, so the E-mail address is
    munged to foil the junkmail bots. Humans will figure it out on their own.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •