You can create and configure a new REST resource type in order to set up a reference delegated admin attribute.
To set up a reference delegated admin attribute, you must have a REST resource type defined and configured.
This example task creates a new REST resource type called
Managers
.
-
To create the new REST resource type, run dsconfig with the
create-rest-resource-type option.
In the following example, the new resource type of
Managers
is created:dsconfig create-rest-resource-type \ --type-name Managers \ --type user \ --set 'description:Rest type for users who are managers\n\It is used as reference type for the field Manager.' \ --set enabled:true \ --set resource-endpoint:managers \ --set structural-ldap-objectclass:inetOrgPerson \ --set search-base-dn:dc=example,dc=com \ --set "include-filter:(employeeType=manager)" \ --set parent-dn:ou=people,dc=example,dc=com \ --set create-rdn-attribute-type:uid \ --set display-name:Managers \ --set 'search-filter-pattern:(|(cn=*%%*)(mail=%%*)(uid=%%*)(sn=*%%*))' \ --set primary-display-attribute-type:cn
-
To add Delegated Admin attributes for the resource type, run
dsconfig with the
create-delegated-admin-attribute option.
The following example adds Delegated Admin attributes for the
Managers
resource type:dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type cn --set "display-name:Full Name" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type uid --set "display-name:Manager ID" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type mail --set display-name:Email dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type employeeType --set "display-name:Employee Type (must be manager)" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type sn --set "display-name:Last name" dsconfig create-delegated-admin-attribute --type-name Managers --attribute-type givenName --set "display-name:First Name"
-
To distinguish your resource type from other resources, run
dsconfig with the
create-delegated-admin-attribute.
In the following example,
Managers
are distinguished from other users using theemployeeType
attribute:dsconfig create-delegated-admin-attribute --type-name users --attribute-type employeeType --set "display-name:Employee type (manager, other)" --set display-order-index:4
-
To add Delegated Admin resource rights to your set of existing Delegated Admin rights,
run dsconfig with the
create-delegated-admin-resource-rights option.
In the following example, Delegated Admin are granted
reference
Admin Permission for theManagers
REST resource type to allow viewing access:dsconfig create-delegated-admin-resource-rights --rights-name <existing-rights-name> --rest-resource-type Managers --set enabled:true --set admin-permission:reference --set admin-scope:all-resources-in-base
In the following example, Delegated Admin administrators are granted
read
andupdate
Admin Permissions forManagers
REST resource type to allow edit access:dsconfig create-delegated-admin-resource-rights --rights-name DArights --rest-resource-type Managers --set enabled:true --set admin-permission:read --set admin-permission:update --set admin-scope:all-resources-in-base
After you have created and configured a new REST resource type, add a reference Delegated Admin attribute. For more information, see step 2 in Setting up a DN reference attribute.