Setting up a DN reference attribute
A REST resource type can reference or edit other REST resource types based on a distinguished name (DN) without the full DN value. The following task, performed by the system administrator, grants the Delegated Admin administrator this ability.
About this task
In this task, the Delegated Admin attribute used for reference must be in DN syntax, such as manager
, entryDN
, or seeAlso
.
Steps
-
To use a resource type for DN reference:
Choose from:
-
Use an existing REST resource type.
-
-
To add a
reference
Delegated Admin attribute, rundsconfig
with thecreate-delegated-admin-attribute
option using the following syntax.Example:
dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type <attribute of DN syntax> \ --set "display-name:<display name>" \ --set display-order-index: <> \ --set reference-resource-type:<rest-resource-type>
Example:
The following example uses the values from Creating and configuring a new REST resource type:
dsconfig create-delegated-admin-attribute \ --type-name users \ --attribute-type manager \ --set "display-name:Select Manager" \ --set display-order-index:4 \ --set reference-resource-type:Managers
Creating and configuring a new REST resource type
You can create and configure a new REST resource type in order to set up a reference delegated admin attribute.
About this task
To set up a reference delegated admin attribute, you must have a REST resource type defined and configured.
This example task creates a new REST resource type called Managers
.
Steps
-
To create the new REST resource type, run
dsconfig
with thecreate-rest-resource-type
option.Example:
In the following example, the new resource type of
Managers
is created:dsconfig create-rest-resource-type \ --type-name Managers \ --type user \ --set 'description:Rest type for users who are managers\n\It is used as reference type for the field Manager.' \ --set enabled:true \ --set resource-endpoint:managers \ --set structural-ldap-objectclass:inetOrgPerson \ --set search-base-dn:dc=example,dc=com \ --set "include-filter:(employeeType=manager)" \ --set parent-dn:ou=people,dc=example,dc=com \ --set create-rdn-attribute-type:uid \ --set display-name:Managers \ --set 'search-filter-pattern:(|(cn=%%)(mail=%%)(uid=%%)(sn=%%))' \ --set primary-display-attribute-type:cn
-
To add Delegated Admin attributes for the resource type, run
dsconfig
with thecreate-delegated-admin-attribute
option.Example:
The following example adds Delegated Admin attributes for the
Managers
resource type:dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type cn --set "display-name:Full Name" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type uid --set "display-name:Manager ID" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type mail --set display-name:Email dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type employeeType --set "display-name:Employee Type (must be manager)" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type sn --set "display-name:Last name" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type givenName --set "display-name:First Name"
-
To distinguish your resource type from other resources, run
dsconfig
with thecreate-delegated-admin-attribute
.Example:
In the following example,
Managers
are distinguished from other users using theemployeeType
attribute:dsconfig create-delegated-admin-attribute --type-name users --attribute-type employeeType --set "display-name:Employee type (manager, other)" --set display-order-index:4
-
To add Delegated Admin resource rights to your set of existing Delegated Admin rights, run
dsconfig
with thecreate-delegated-admin-resource-rights
option.Example:
In the following example, Delegated Admin are granted
reference
Admin Permission for theManagers
REST resource type to allow viewing access:dsconfig create-delegated-admin-resource-rights --rights-name <existing-rights-name> --rest-resource-type Managers --set enabled:true --set admin-permission:reference --set admin-scope:all-resources-in-base
Example:
In the following example, Delegated Admin administrators are granted
read
andupdate
Admin Permissions forManagers
REST resource type to allow edit access:dsconfig create-delegated-admin-resource-rights --rights-name DArights --rest-resource-type Managers --set enabled:true --set admin-permission:read --set admin-permission:update --set admin-scope:all-resources-in-base
Next steps
After you have created and configured a new REST resource type, add a reference Delegated Admin attribute. For more information, see step 2 in Setting up a DN reference attribute.