HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)

ManualsBrandsHP ManualsSoftwareHP-UX Directory Server

161

162

163

164

165

166

167

168

169

170

5 Organizing Entries with roles, Class of service, and Views

Entries contained within the directory can be grouped in different ways to simplify the management

of user accounts. HP-UX Directory Server supports a variety of methods for grouping entries and

sharing attributes between entries. To take full advantage of the features offered by roles and class

of service, determine the directory topology when planning the directory deployment.

Topics include:

• “Using roles” (page 166)

• “Assigning class of service” (page 187)

• “Using views” (page 210)

• “Using groups” (page 216)

5.1 Using roles

Roles are an grouping mechanism that unify the static and dynamic groups described in the previous

sections. Roles are designed to be more efficient and easier to use for applications. For example,

an application can get the list of roles of which an entry is a member by querying the entry itself,

rather than selecting a group and browsing the members list of several groups.

This section contains the following topics:

• “About roles” (page 166)

• “Managing roles using the console” (page 168)

• “Managing roles using the command line” (page 184)

• “Using roles securely” (page 187)

5.1.1 About roles

There are two kinds of groups:

• Static groups have a finite and defined list of members.

• Dynamic groups use filters to recognize which entries are members of the group, so the group

membership is constantly changed as the entries that match the group filter change.

Both kinds of groups are described in “Using groups” (page 216)).

Roles are a sort of hybrid group, behaving as both a static and dynamic group. With a group,

entries are added to a group entry as members. With a role, the role attribute is added to an entry,

then that attribute is used to identify members in the role entry automatically.

Roles effectively organize users in a number of different ways:

• Explicitly listing role members

Viewing the role will display the complete list of members for that role. The role itself can be

queried to check membership (which is not possible with a dynamic group).

• Showing what roles an entry belongs to

Because role membership is determined by an attribute on an entry, simply viewing an entry

will show all the roles to which it belongs. This is similar to the memberOf attributes for groups.

• Assigning the appropriate roles

Role membership is assigned through the entry, not through the role, so the roles to which a

user belongs can be easily assigned and removed by editing the entry, in a single step.

166 Organizing Entries with roles, Class of service, and Views