Chapter 5 Security Configuration

Roles

Jaguar's authorization model is based on roles . Roles are defined in Jaguar Manager. Each role can include and exclude specific user names or digital IDs. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

   To include or exclude a digital ID, it must appear in Security Manager's User Certificate folder or Other Certificate folder.

Roles are attached to Jaguar packages and components. A package or component's role controls access as follows:

• If any roles are assigned to a package, the user must have all of these roles to use any component in the package.
• If any roles are assigned to a component, the user must have all of these roles to use the component.
• If roles are assigned to both a component and the package that contains it, the user must have all of the roles that are assigned to the package and component.

You must either refresh or restart Jaguar for any role changes to take effect.

Refreshing Jaguar

1. Highlight the Roles folder.
   
   
2. Select File | Refresh.
   
   

Defining a new role

1. Highlight the Roles folder.
   
   
2. Select File | New Role. Enter the required information in the subsequent dialog boxes:
   • New Role - the name of the role you are defining.
   • Description - the description, up to 255 characters, of the role.
   • Owner - the owner of the role.
   
   
   

Deleting an existing role

1. Highlight the Roles icon. You see a list of existing roles.
   
   
2. Highlight the role you want to delete.
   
   
3. Select File | Delete Role. This option is available only to the owner of the role or the jagadmin user.
   
   
4. Click Yes to confirm deletion of the selected role.
   
   

   Only the owner or a member of the Admin role can delete a role, except for the Admin role itself, which cannot be deleted. See "Admin role in Jaguar" for more information.

Modifying an existing role

1. Highlight the Roles icon. You see a list of existing roles.
   
   
2. Highlight the role you want to modify.
   
   
3. Select File | Role Properties.
   
   
4. Make your modifications and click OK.
   
   

Adding an existing role, or creating and adding a new role to a package, component, or method

1. Double-click the icon for the package, component, or method to expand the folders beneath it. Highlight the Role Membership folder.
   
   
2. Select File | Install Role. Then select one of the following options from the Role Wizard:
   • Install an Existing Role - a list of uninstalled roles appears in the dialog box. Highlight the role to be installed and click OK.
   • Create and Install a New Role - enter the name of the new role to be installed. Complete the role property sheet. The properties are described in "Defining a new role".
   
   
   

   A package, component, or method with no roles or role memberships defined has no access restrictions.

Assigning users and groups to roles

Each role can include and exclude specific user names and digital IDs. If you use native operation system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

To assign authorized users to a role of a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to add authorized users to.
   
   
4. Highlight the Authorized User folder.
   
   
5. Select File | Add Authorized User.
   
   
6. Enter the name of the authorized user in the dialog box, and click Add Authorized User. On NT, you can provide the name of the domain as part of the authorized user name; for example, \\domain_name\user_name. The user is authenticated using the domain name controller for that domain.
   
   

The user's name appears on the right side of the window when you highlight the Authorized Users folder.

To remove an existing authorized user, highlight the member and select File | Remove Member.

To assign authorized groups to a role of a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to add authorized groups to.
   
   
4. Highlight the Authorized Group folder.
   
   
5. Select File | Add Authorized Group.
   
   
6. Enter the name of the authorized group in the dialog box, and click Add Authorized Group.
   
   

The group's name appears on the right side of the window when you highlight the Authorized Groups folder.

To remove an existing authorized group, highlight the member and select
File | Remove Member.

   The users and groups of a role are mapped to operating system users and groups. To validate users and groups you must click Enable User and Group Validation from the server's Security property sheet. You can only add validated groups to roles. When Enable User and Group Validation is disabled, package and component authorizations stop at the user level. There is no attempt to check group level authorization.

To assign authorized digital IDs (certificates) to a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to add authorized digital IDs to.
   
   
4. Highlight the Authorized Digital IDs folder.
   
   
5. Select File | Add Authorized Digital ID.
   
   
6. A list of digital IDs appears. Double-click the name of the digital ID that you want to authorize and click Add Authorized Digital ID.
   
   Only certificates that appear in the Security Manager's User Certificates folder and Other Certificates folder can be authorized. This requires that you install the certificate using Security Manager. See "Installing and exporting certificates" for more information.
   
   

The user's name appears on the right side of the window when the Authorized Digital IDs folder is highlighted.

To remove an existing authorized digital ID, highlight the member and select File | Remove Member.

You can verify, export, or view information about an authorized digital ID by highlighting the digital ID and selecting the corresponding option from the file menu. See "Certificate management" for more information about these options.

To exclude users from a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to exclude users from.
   
   
4. Highlight the Excluded User folder.
   
   
5. Select File | Add Excluded User.
   
   
6. Enter the name of the excluded user in the dialog box, and click Add Excluded User. On NT, you can provide the name of the domain as part of the excluded user name; for example, \\domain_name\user_name. The user is authenticated using the domain name controller for that domain.
   
   

The user's name appears on the right side of the window when the Excluded Users folder is highlighted.

To remove an existing excluded user, highlight the member and select File | Remove Member.

To exclude groups from a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to exclude groups from.
   
   
4. Highlight the Excluded Group folder.
   
   
5. Select File | Add Excluded Group.
   
   
6. Enter the name of the excluded group in the dialog box, and click Add Excluded Group.
   
   

The group's name appears on the right side of the window when you highlight the Excluded Groups folder.

To remove an existing excluded group, highlight the member and select File | Remove Member.

To exclude digital IDs (certificates) from a component or a package:

1. Double-click the component or package to which the role belongs.
   
   
2. Double-click the Roles icon.
   
   
3. Double-click the role you want to exclude digital IDs from.
   
   
4. Highlight the Excluded Digital IDs folder.
   
   
5. Select File | Add Excluded Digital ID.
   
   
6. A list of digital IDs appears. Double-click the name of the digital ID that you want to exclude and click Add Excluded Digital ID.
   
   Only certificates that appear in the Security Manager's User Certificates folder and Other Certificates folder can be excluded. This requires you to install the certificate using Security Manager. See "Installing and exporting certificates" for more information.
   
   

The user's name appears on the right side of the window when the Excluded Digital IDs folder is highlighted.

To remove an existing excluded authorized digital ID, highlight the member and select File | Remove Member.

You can verify, export, or view information about an excluded digital ID by highlighting the digital ID and selecting the corresponding option from the file menu. See "Certificate management" for more information about these options.

Admin role in Jaguar

Every Jaguar server contains an Admin package and an Admin role. You must be a member of the Admin role to run Jaguar Manager or Security Manager.

Initially, only jagadmin is a member of this role. The jagadmin user can set up additional members.

Other Admin package and Admin role characteristics are:

• When you create a new server, an Admin role and package are also created.
• You cannot modify the Admin package. The Admin package lists only Admin role members; it does not list any components.
• The Jaguar Manager enforces read-only permissions for users who are not members of the Admin role. The install, modify, and delete options are enabled for Admin role members only.