I'm going to try to do my best to explain the current scenario and IF
IDM 3.7 Roles and whatnot can address:

1) As you may or may not be aware, you cannot use iManager RBS (Roles
based services) to set a 'scope' lower than an eDir container. In other
words you cannot say: You can only add/remove users from Group ABC.
You cannot do things like: can only change passwords for people in who
are in a group of XYZ or who have an attribute of XYZ

2) We have an O=ABC with an ou=users, and an ou=groups subcontainer.
However, the "users" container will contain potentially thousands of
users that may belong to multiple external accounts. So we don't want
the "admin" of say, "company ABC" to be able to manipulate ALL the users
that are in the .ou=users,o=ABC. ONLY the users that are in "their"
responsibility.

From what I vaguely remember, 3.7 Roles & Entitlements could handle:

a) User Account Creation (it goes to the appropriate person and we
could route it based upon say, requested access to a certain application
or security clearance requested)

b) User "manipulation" for things like changing their userid or
firstname/lastname or email address (again, only certain people should
be able to change their "respective" users). If we had 5 admins, each
one responsible for 5 diff. companies, they could only modify users who
say, had an attribute of CompanyA but not say, CompanyB.

c) User password changes. This is the big one. User needs to have
their password reset by an admin (for whatever reason). But we only can
have Admin-ABC change passwords for users in a group of say, ABC, or
users that have an attribute of say, Company ABC.

Is this possible?

With a "flat" tree?

If we need to further segregate the ou=users we can, but then if we do
that, can IDM ensure unique userid creation and formatting (all users
must be formatted with a certain naming convention) and "moving" the
accounts as necessary based upon whatever it is we need?

I don't expect to be able to do this "out of the box" and we'll
probably need integration help later, but I'm just getting the scope and
asking questions now.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: http://forums.novell.com/member.php?userid=734
View this thread: http://forums.novell.com/showthread.php?t=394626