Sun Java System Access Manager FAQ: Administration Console

• How do I customize the email sent by the password reset service?
• Can a suborganization administrator assign users from the parent organization to a group in the current organization?
• Does the Access Manager Administration Console support nested groups and roles?
• How do I add columns in legacy mode in the navigation pane?
• How do I display a custom service under Authentication in the Configuration tab?
• How do I add a dynamic attribute to the response provider in a policy?
• How do I add attributes to the Advanced Search page?
• While creating a group in legacy mode, how do I not create the Group Admin role?
• Can I make certain fields on the User Profile page editable and others read-only?
• Why are the sessions from a failover server not displayed in the Access Manager Administration Console after the initial server crashes?

Q: How do I customize the email sent by the password reset service?

Edit the amPasswordResetModuleMsgs.properties file. For Sun Java Enterprise System installations, that file resides at /opt/SUNWam/locale; for Web archive (WAR) deployments, it resides at WEB-INF/classes.

Q: Can a suborganization administrator assign users from the parent organization to a group in the current organization?

No. A suborganization administrator has read and write access only to all the entries within the suborganization, not to the entries in the parent.

Q: Does the Access Manager Administration Console support nested groups and roles?

No. The Access Manager Administration Console supports groups and roles, but not nested groups and roles.

Q: How do I add columns in legacy mode in the navigation pane?

The Search Return attribute in the Administration Service controls which attributes are displayed in the navigation frame. The default value for that attribute contains the user attributes uid and cn only.

To add attributes for other object types, type:
[object-type]=[attributes] | [object-type]=[attributes] | ...

For example, to add the sunPreferredDomain attribute to the organization's display, type:
uid cn | organizations=o sunPreferredDomain

Q: How do I display a custom service under Authentication in the Configuration tab?

Edit the amServiceTable.properties file in the service's Web application. That file defines where a custom service is displayed in the Configuration tab. On Sun Java System Web Server, amServiceTable.properties is located at /WEB-INF/classes in the WAR deployment and contains entries similar to the following:

iPlanetAMPasswordResetService=Global
iPlanetAMPolicyConfigService=Global

sunAMAuthSAMLService=Authentication
iPlanetAMAuthSafeWordService=Authentication
iPlanetAMAuthSecurIDService=Authentication
iPlanetAMAuthUnixService=Authentication

To add a custom service, add an Authentication line according to this syntax:

custom_service-name=Authentication

You have four choices for classifying services: Authentication, Administration, Global, and System. To hide a service, replace the section name with a dot, for example:

iPlanetAMPolicyConfigService=.

Q: How do I add a dynamic attribute to the response provider in a policy?

Configure the dynamic attributes in the Policy Configuration Service (PCS) before specifying them in a policy. Afterward, the attributes are displayed in the Dynamic Attributes list on the Response Providers page.

Q: How do I add attributes to the Advanced Search page?

Mark the attributes as filterable attributes, that is, add the keyword filter to any string. Here is an example of the uid attribute, which is marked for display in the Advanced Search page with the filter key:

<AttributeSchema name="uid"
type="single"
syntax="string"
any="required|filter"
i18nKey="u101">
</AttributeSchema>

You must also define the attribute in the User Service, that is, the amUser.xml file.

Q: While creating a group in legacy mode, how do I not create the Group Admin role?

Edit the Dynamic Administrative Role's Access Control Instruction (ACI) attribute in the Administration Service and delete the Group Admin entry. Do the following:

1. In the Access Manager Administration Console, click the Service Configuration tab.
   
   The Administration Service profile is displayed.
   
   
2. In the Global section, locate the Dynamic Administrative Role's ACI attribute and choose Group Admin from the pull-down menu.
   
   
3. Click Remove and then Save.

Note: You can also modify the ACIs for other admin types.

Q: Can I make certain fields on the User Profile page editable and others read-only?

Yes. To make a field read-only, update the attribute schema in the XML file for the corresponding service and set the any value to userReadOnly or readOnly. See this example:

<AttributeSchema name="employeenumber"
type="single"
syntax="number"
any="readOnly"
i18nKey="u107">
</AttributeSchema>

To activate the changes, delete and reinstall the service with the amadmin command. For example, after updating an attribute in the User service, first delete the old schema by typing, all on one line:

/opt/SUNWam/bin/amadmin --runasdn uid=amadmin,ou=people,dc=sun,dc=com --password mypassword --deleteservice iplanetAMUserService

Next, import the modified schema by typing, all on one line:

/opt/SUNWam/bin/amadmin --runasdn uid=amadmin,ou=people,dc=sun,dc=com --password mypassword --schema amUser.xml

Q: Why are the sessions from a failover server not displayed in the Access Manager Administration Console after the initial server crashes?

The problem stems from the session cache. The sessions from the failed server are not displayed in the Administration Console until expiration of the cache time, as determined by the value of the max-caching-time parameter. By refreshing your browser after that time lapse, you will see the sessions in the Administration Console.

Back to top