What are some guidelines for setting up ActiveViews and Assistant Admin groups? (NETIQKB47454)

  • Document ID:7747454
  • Creation Date:02-Feb-2007
  • Modified Date:19-Jun-2007
    • Micro Focus Products:
      Directory and Resource Administrator

Resolution

goal
What are some guidelines for setting up ActiveViews and Assistant Admin groups?

goal
How can I configure my DRA security model efficiently?

fact
Directory and Resource Administrator 7.x

symptom
It takes a long time for the Account and Resource Management console to open.

symptom
Members of the DRA Admins group can open the Account and Resource Management console, but Assistant Admins cannot.

cause

If you open the Account and Resource Management console and the account has Assistant Admin permissions, the Administration server enumerates all of the ActiveView rules, group memberships, powers, and roles for each ActiveView that the Assistant Admin can manage. If the Assistant Admin meets one or more of the following conditions, it may take a long time for the Account and Resource Management console to open:

  • Manages a large number of ActiveViews
  • Manages ActiveViews that contain nested ActiveViews
  • Is a member of a large number of Assistant Admin groups

If you open the Account and Resource Management console and the account is a member of the DRA Admins group, the Administration server does not need to enumerate each rule, group membership, power, and role for each ActiveView, and the Account and Resource Management console opens quickly. This is because the DRA Admins group is only assigned to the All Objects ActiveView, which contains all objects and powers, and the DRA Admins Assistant Admins group.



fix

To resolve this issue, review your existing security model and focus on reducing the number of enumerations the Administration server must perform for Assistant Admins. Use the following guidelines to reduce enumerations:

  • Limit the use of ActiveView rules that include objects managed by other ActiveViews.
  • Limit the nesting of Assistant Admin groups within other Assistant Admin groups.
  • Ensure Assistant Admins are not members of multiple Assistant Admin groups which all manage the same ActiveView.
  • Ensure you selectively use wildcards when specifying rules. Wildcards, while often helpful in specifying rules, should not be used exclusively.
  • Reorganize your security model to use OU rules and object-type rules wherever possible.


Additional Information

Formerly known as NETIQKB47454