Example: Nested Role Definition; Using Roles Securely - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Using Roles

Example: Nested Role Definition

You want to create a role that contains both the marketing staff and sales
managers contained by the roles you created in the previous examples. The
nested role you created using
dn: cn=MarketingSales,ou=people,dc=example,dc=com
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsNestedRoleDefinition
cn: MarketingSales
nsRoleDN: cn=SalesManagerFilter,ou=people,dc=example,dc=com
nsRoleDN: cn=Marketing,ou=people,dc=example,dc=com
Notice the
LDAPsubentry
classes. The
and the sales managers filtered role.
Both of the users in the previous examples, Bob and Pat, would be members of
this new nested role.

Using Roles Securely

Not every role is suitable for use in a security context. When creating a new role,
consider how easily the role can be assigned to and removed from an entry.
Sometimes it is appropriate for users to be able to add or remove themselves
easily from a role. For example, if you had an interest group role called
Biking
themselves easily.
However, in some security contexts, it is inappropriate to have such open roles.
Consider account inactivation roles. By default, account inactivation roles contain
ACIs defined for their suffix. When creating a role, the server administrator
decides whether a user can assign themselves to or remove themselves from the
role.
180 Red Hat Directory Server Administrator's Guide • May 2005
nsNestedRoleDefinition
,
nsRoleDefinition
attributes contain the DN of the marketing managed role
nsRoleDN
, you would want interested users to add themselves or remove
appears as follows:
ldapmodify
object class inherits from the
, and
nsComplexRoleDefinition
object
Mountain