Use of Delegated Administrator by users with restricted roles
I am using Delegated Administrator to manage my Messaging Server 6.1 user accounts.
I would like to delegate management of the groups I have in Directory Server 5.2 (under ou=Groups,o=mydomain.com,dc=MyEnterprise) to those users to whom I have assigned the group admin role for the respective groups.
However, when these users try and log in to DA from the DA Console, they receive the message that they have insufficient permissions to access the application (the DA application class I suppose?)
I don't want to assign the "Organization Admin" role to these users; it's too powerful.
Is there an easy way out of this or do I have to define a new ACI and assign to a new role which I would then assign to my designated group admins in order for them to use DA console?
[802 byte] By [
edepas] at [2007-11-26 10:55:07]
# 3
The division of a namespace into shared organizations isn't realistic in my scenario. I don't want to create an organization each time I create a mailing list. In any case, any one user might belong to more than one mailing list - does it make sense to have a particular user in more than one organization? Even if it can be implemented, it's not very intuitive.
What I need to do is to delegate administration of mailing lists to the user identified by the owner attribute of the mailing list - that this user can run Delegated Administrator Console to achieve the task?
Can this be done without bending over backward?
# 4
At the moment, with the current product, what you see, is about what there is.end-user control of mailing lists didn't make it into the current DA. It is on the map for inclusion, though I can't say if it'll make it into 6.3 (due out maybe January).....
# 5
I don't intend to thrash a dead horse - I just want to make sure I'm understanding clearly:
Is there no way to delegate management of mailing lists to the list owner (such that the owner can add, remove users from the list) by using a GUI-tool?
I don't need explicit details - just pointers to documentation would be fine. Sun doc 819-2650 is so poor in this respect - it just has an "Appendix C" that starts off with a bold caps deterrent - then refers you to doc 819-2658, which deals only with TLA, OA and SPA roles. These roles are too powerful in permissions yet too limited in granularity of scope.
# 6
At this moment, with the current release of DA, we have no facility to allow any end-user management of mailing lists.You can certainly roll your own, it's all just ldap entries....
# 7
Bear with me one post longer - is the idea generally that of:
1. creating a role;
2. assigning the appropriate ACIs to this role;
3. assigning the role to the designated mailing list manager;
4. instructing the user to log in using DA Console to carry out the mailing-list management.
Or is it the Access Manager console in step 4? Or is it writing a Java application that does the job?
In any case, thank-you for your input and your patience.
# 8
I really can't answer the question, as asked.
DA is just a bunch of servelets sitting on a web server. Access Manager is also a bunch of servelets running on a web server.
You can write anything you like, using any tools you like, as long as what you do fiddles LDAP correctly, it'll be fine.
You can use PerLDAP, servelets, ldapmodify in a wrapper, whatever. . .
I don't think that anybody has customized DA to do what you're looking for. It's not really in the tool, at present. End users cannot log into DA. It's an administration tool, not a user tool.
