Defining roles with user classes

You can constrain roles based on user classes. User classes are defined by a specified LDAP property.

Before you begin

IBM® Rational® Asset Manager must be configured for integration with a Lightweight Directory Access Protocol (LDAP) repository. Additionally, the User's user class property on the Configuration page for the custom user registry must be set to the LDAP property to use when determining user classes. To learn more about integrating with an LDAP repository, see Configuring for LDAP integration.

To modify roles, you must be a community administrator or a repository administrator.

About this task

Typically, you restrict roles based on user classes for Signed-in users or for user groups.

Procedure

To create or edit a role for classes of users:

  1. Log into the Rational Asset Manager web client.
  2. Open the Administration page.
  3. Click the community name to modify the roles and permissions that are associated with those roles in that community.
  4. Click the Roles tab.
  5. Click the name of the role that you want to edit, or to create a role, click New Role. You cannot edit the built-in role of Administrator.
  6. On the Community Role page, describe the role:
    1. In the Name field, type a name for the role.
    2. In the Description field, type a description for the new role.
  7. In the Role Permissions section, select the permissions that this role assumes in this community.
  8. In the User Class Scopes section, constrain the role by matching against the user class property. Use the lists to create constraints. You can apply as many constraints as needed to focus the permissions in a role. Select At least one of the following constraints in order to apply individual constraints from the list of constraints that you defined. To apply all of the constraints that you defined, select All of the following constraints. For example, if the user class property is set to the company name stored in the LDAP repository, you can create a role with all permissions for the set of users where the company name is an exact match to a particular text string.
  9. Click OK.

Example

Set the user class property to DN, the LDAP distinguished name. Edit a role and add a constraint under User Class Scopes so that the user class must end with c=us,o=example.com. This makes the role active only for users in the United States (c=us) whose distinguished name ends with example.com. The role is disabled for users with a different country in their distinguished name (for example, c=br).

Feedback