Managing administrative roles for Groove Server Manager
Applies to: Groove Server 2010
Topic Last Modified: 2010-02-11
This article describes how to use the Groove Server Manager Roles page to enable role-based access control (RBAC) and to assign roles to administrators. Enabling role-based access helps protect your administrative Web site from unauthorized use.
These procedures require that Groove Server Manager is installed as described in Install and configure Groove Server 2010 Manager.
In this article:
Enabling Role-Based Access Control
Adding administrator roles
Editing or deleting administrator roles
Enabling Role-based Access Control for Groove Server Manager
Groove Server Manager uses a role-based access control (RBAC) system together with the security provided by the administrative Web site’s authentication scheme. This access mechanism lets you specify who can access the Groove Server Manager administrative interface and which tasks they can perform. Once you enable RBAC, when an administrator logs in to the administrative Web site by using the organization’s established IIS authentication scheme, the administrator’s assigned role determines what settings and information the administrator can access. Enabling RBAC requires that at least one administrator is defined as Server Administrator.
Immediately after installation, no Groove Server Manager administrators are defined and full access is given to all Groove Server Manager features, including the ability to add other administrators and define roles for them. Note that assigning administrator roles for Groove Server Manager does not affect any users, roles, or groups in the Windows domain.
To enable role-based access control on the Groove Server Manager
Make sure that you have set up an authentication system for the Admin directory in IIS as described in Install and configure IIS for Groove Server Manager. Otherwise, RBAC cannot effectively safeguard the Groove Server Manager administrative interface.
Log on to the Groove Server Manager administrative Web site as Server Administrator. This procedure requires you to have Server Administrator permissions.
Select the Groove Manager top level item in the navigation panel, and then click the Roles tab.
Assign yourself the Server Administrator role by clicking Add Administrator in the toolbar, entering your logon name in the Name field, specifying your Groove Server Manager for Scope, and selecting Server Administrator for Role. If you already have the role of Server Administrator, you can skip this step.
To specify additional administrator roles now, follow the procedure described in Adding administrator roles.
From the server Roles page, select Enable role-based access control. When this setting is enabled, only authenticated administrators specified in the Roles list can access the Groove Server Manager Web site.
Note
Until you enable role-based access control (RBAC), administrative role assignments have no effect.
Adding administrator roles
You can add administrator roles at any time. This lets you delegate different administrative responsibilities to specific administrators. However, role assignments have no effect unless role-based access control is enabled, as described in Enabling Role-Based Access Control.
To define administrator roles
Address the information in Enabling Role-Based Access Control.
Log on to the Groove Server Manager administrative Web site and then click the Roles tab. The Roles page appears, listing any administrators who have already been defined.
Click Add Administrator in the toolbar. The Add Administrator page appears. For reference, this page displays the name that you used to log on to the Groove Server Manager administrative Web site.
In the Name field, enter the exact logon name that the administrator will use to log on to the Groove Server Manager Web site, as defined by your authentication system.
Note
If the administrator name that you specify does not exactly match the logon name that is used by your Web site authentication scheme, the new administrator will not have any permissions on the server after RBAC is enabled. This is especially important to remember when you are adding an administrator whose logon name is in LDAP Common Name (CN) format, which may not suggest a typical logon name.
From the Scope scrolling list, select the server or management domain from the drop-down menu, to indicate the scope of the administrator’s role.
Click the Add button. The selected server or domain name appears in the Assigned Scopes list, and the default role appears under Assigned Roles Within Selected Scope.
Note
At least one administrator must be assigned the Scope of Groove Server Manager and the Role of Server Administrator. This allows at least one administrator to access all levels of Groove Server Manager administration, to assign other administrators, and to enable or disable role-based access control.
If you need to delete an assigned scope, select it and then click Remove from Scope.
If you entered the domain as the scope for an administrator name and you want to assign a role, select the domain in the Assigned Scopes list, select the appropriate options in the Assigned Roles list, and then click OK. These roles control what pages of the Groove Server Manager’s administrative UI the administrator can access. The following table describes how each role determines UI access and tasks:
Administrator Role Description Tasks Server Administrator
Allows full UI access to all server and domain-level administration. At least one administrator must be assigned the Server Administrator role.
All server-level tasks, including the following:
Adding and deleting administrators
Monitoring server events
Configuring a corporate directory server if present
All domain-level tasks, including those listed for Domain Administrator.
Domain Administrator
Allows full UI access to management domain-level administration.
All domain-level tasks, including the following:
Changing domain properties, such as identity delisting periods, cross-certification settings, and account recovery settings
Adding, changing, and deleting domain member groups
Adding, changing and deleting policy templates
Adding, changing, and deleting Relay server pools
Reassigning roles to other administrators of the domain (not to Server Administrators or to one’s self)
Member Administrator
Limits UI access to fields that affect domain member administration.
Assigning policy templates, and Relay server pools to groups and identities
Editing member contact information
Removing domain group members
Report Administrator
Allows UI access only to Groove Server Manager usage reports.
Reviewing Groove Server Manager usage reports of managed user activities, SharePoint Workspace use, and Groove workspace tool use
Support Administrator
Allows UI access only to fields that control Groove Server Manager user passwords and content recovery.
Resetting managed SharePoint Workspace user passwords or Smart Card logon credentials upon request
Restoring backed-up Groove Server Manager user accounts upon request
no roles selected
Blocks access to administrative tasks. A message appears in the navigation pane of the Groove Server Manager administrative Web site, instructing the administrator to see the server or domain administrator to gain access.
None.
Administrators without a role cannot access administrative settings until a server or domain administrator assigns them a role.
Editing or deleting administrator roles
Only administrators with the Server Administrator role can change or delete administrators. However, the initial Server Administrator cannot be deleted.
To change an administrator’s role
From the Roles tab of the Groove Server Manager administrative Web site, select the administrator whose role you want to change.
Edit the name, scope, or role as needed, as described in Adding administrator roles.
Click OK.
To remove an administrator’s role from the Groove Server Manager
From the Roles tab of the Groove Server Manager administrative Web site, select the administrator(s) that you want to delete. Note that you cannot delete yourself.
Click Delete Administrator in the toolbar.
When a confirmation pop-up appears, click OK.