| 23 | | There are currently 2900+ distinct EDIRrole values but most are flavors of the |
| 24 | | following: |
| 25 | | |
| 26 | | ADadmin # the ability to administer AD related attributes |
| 27 | | EDIRadmin # the ability to administer any self service attribute |
| 28 | | abideByFERPA # the ability to see FERPA protected student records |
| 29 | | deptAdmin<unitUIDpattern> # the ability to update unit records |
| 30 | | emailAdmin # the ability to administer email related attributes |
| 31 | | emplAdmin<unitUIDpattern> # the ability to update people records associated with unit |
| 32 | | helpDesk # the ability to perform restricted account management tasks |
| 33 | | phoneBook # the ability to administer phoneBook related attributes |
| 34 | | secretaryAdmin # the ability to administer the secretary attribute |
| 35 | | sponsorAccount # the ability to sponsor directory records (includes guest account creation) |
| 36 | | tklAdmin<TKLpattern> # the ability to update people records associated with TKL |
| | 24 | == EDIRrole General Groupings == |
| | 25 | There are currently 2900+ distinct EDIRrole values but most fall under the following general categories: |
| | 26 | ||= **EDIRrole Identity** =||= **Permissions Granted** =|| |
| | 27 | || ADadmin || Administration of AD related attributes || |
| | 28 | || EDIRadmin || Administration of any self service attribute || |
| | 29 | || abideByFERPA || View FERPA protected student records || |
| | 30 | || deptAdmin<unitUIDpattern> || Update unit records || |
| | 31 | || emailAdmin || Administration of email related attributes || |
| | 32 | || emplAdmin<unitUIDpattern> || Update people records associated with unit || |
| | 33 | || helpDesk || Perform restricted account management tasks || |
| | 34 | || phoneBook || Administration of phoneBook related attributes || |
| | 35 | || secretaryAdmin || Administration of the secretary attribute || |
| | 36 | || sponsorAccount || Sponsor directory records (includes guest account creation ) || |
| | 37 | || tklAdmin<TKLpattern> || Update people records associated with TKL || |
| 49 | | The iPlanet roles based on EDIRrole values come in two flavors: those that apply to |
| 50 | | people accessing other records and those that apply to resource accounts accessing |
| 51 | | other records. The iPlanet roles that govern people's access require that the person |
| 52 | | doing the accessing have a current job assignment. That helps insure that users |
| | 50 | == iPlanet Roles == |
| | 51 | The iPlanet roles based on EDIRrole values are divided into two categories: |
| | 52 | * those that apply to people accessing other records |
| | 53 | * those that apply to resource accounts accessing other records. |
| | 54 | |
| | 55 | The iPlanet roles that govern people's access require that the person |
| | 56 | requesting access have a current job assignment. That helps insure that users |
| 57 | | iplanet@egegik> cat role.EDIRadminRole.ldif |
| 58 | | dn: cn=EDIRadminRole,ou=people,dc=alaska,dc=edu |
| 59 | | objectclass: top |
| 60 | | objectclass: LDAPsubentry |
| 61 | | objectclass: nsRoleDefinition |
| 62 | | objectclass: nsComplexRoleDefinition |
| 63 | | objectclass: nsFilteredRoleDefinition |
| 64 | | cn: EDIRadminRole |
| 65 | | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0))) |
| 66 | | Description: filtered role for entities administering EDIR |
| 67 | | |
| | 61 | {{{ |
| | 62 | $ iplanet@egegik> cat role.EDIRadminRole.ldif |
| | 63 | dn: cn=EDIRadminRole,ou=people,dc=alaska,dc=edu |
| | 64 | objectclass: top |
| | 65 | objectclass: LDAPsubentry |
| | 66 | objectclass: nsRoleDefinition |
| | 67 | objectclass: nsComplexRoleDefinition |
| | 68 | objectclass: nsFilteredRoleDefinition |
| | 69 | cn: EDIRadminRole |
| | 70 | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0))) |
| | 71 | Description: filtered role for entities administering EDIR |
| | 72 | }}} |
| 71 | | iplanet@egegik> cat role.EDIRadminRole.resource.ldif |
| 72 | | dn: cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| 73 | | objectclass: top |
| 74 | | objectclass: LDAPsubentry |
| 75 | | objectclass: nsRoleDefinition |
| 76 | | objectclass: nsComplexRoleDefinition |
| 77 | | objectclass: nsFilteredRoleDefinition |
| 78 | | cn: EDIRadminRole |
| 79 | | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin)) |
| 80 | | Description: filtered role for resource entities administering EDIR |
| 81 | | |
| | 76 | {{{ |
| | 77 | $ iplanet@egegik> cat role.EDIRadminRole.resource.ldif |
| | 78 | dn: cn=EDIRadminRole,ou=resource,dc=alaska,dc=edu |
| | 79 | objectclass: top |
| | 80 | objectclass: LDAPsubentry |
| | 81 | objectclass: nsRoleDefinition |
| | 82 | objectclass: nsComplexRoleDefinition |
| | 83 | objectclass: nsFilteredRoleDefinition |
| | 84 | cn: EDIRadminRole |
| | 85 | nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=EDIRadmin))Description: filtered role for resource entities administering EDIR |
| | 86 | }}} |