You can constrain roles based on user classes. User classes
are defined by a specified LDAP property.
Before you begin
IBM® Rational® Asset Manager must
be configured for integration with a Lightweight Directory Access
Protocol (LDAP) repository. Additionally, the User's user
class property on the Configuration page
for the custom user registry must be set to the LDAP property to use
when determining user classes. To learn more about integrating with
an LDAP repository, see Configuring
for LDAP integration.
To modify roles, you must be a community administrator
or a repository administrator.
About this task
Typically, you restrict roles based on user classes for
Signed-in
users or for user groups.
Procedure
To create or edit a role for classes of users:
- Log into the Rational Asset Manager web
client.
- Open the Administration page.
- Click the community name to modify the roles and permissions
that are associated with those roles in that community.
- Click the Roles tab.
- Click the name of the role that you want to edit, or to
create a role, click New Role. You
cannot edit the built-in role of Administrator.
- On the Community Role page, describe
the role:
- In the Name field, type a name
for the role.
- In the Description field, type
a description for the new role.
- In the Role Permissions section, select
the permissions that this role assumes in this community.
- In the User Class Scopes section,
constrain the role by matching against the user class property. Use the lists to create constraints. You can apply as many constraints
as needed to focus the permissions in a role. Select At
least one of the following constraints in order to apply
individual constraints from the list of constraints that you defined.
To apply all of the constraints that you defined, select All
of the following constraints. For example,
if the user class property is set to the company name stored in the
LDAP repository, you can create a role with all permissions for the
set of users where the company name is an exact match to a particular
text string.
- Click OK.
Example
Set the user class property to
DN,
the LDAP distinguished name. Edit a role and add a constraint under
User
Class Scopes so that the user class must end with
c=us,o=example.com.
This makes the role active only for users in the United States (
c=us)
whose distinguished name ends with
example.com.
The role is disabled for users with a different country in their distinguished
name (for example,
c=br).