Using RolesChapter 5 Advanced Entry Management 171Example: Nested Role DefinitionYou want to create a role that contains both the marketing staff and sales managerscontained by the roles you created in the previous examples. The nested role youcreate using ldapmodify appears as follows:dn: cn=MarketingSales,ou=people,dc=example,dc=comobjectclass: topobjectclass: LDAPsubentryobjectclass: nsRoleDefinitionobjectclass: nsComplexRoleDefinitionobjectclass: nsNestedRoleDefinitioncn: MarketingSalesnsRoleDN: cn=SalesManagerFilter,ou=people,dc=example,dc=comnsRoleDN: cn=Marketing,ou=people,dc=example,dc=comNotice the nsNestedRoleDefinition object class inherits from the LDAPsubentry,nsRoleDefinition, and nsComplexRoleDefinition object classes. The nsRoleDNattributes contain the DN of the marketing managed role and the sales managersfiltered role.Both of the users in the previous examples, Bob and Pat, would be members of thisnew nested role.Using Roles SecurelyNot every role is suitable for use in a security context. When creating a new role,consider how easily the role can be assigned to and removed from an entry.Sometimes it is appropriate for users to be able to easily add themselves to orremove themselves from a role. For example, if you had an interest group rolecalled Mountain Biking, you would want interested users to add themselves orremove themselves easily.However, in some security contexts it is inappropriate to have such open roles. Forexample, consider account inactivation roles. By default, account inactivation rolescontain ACIs defined for their suffix. When creating a role, the server administratordecides whether a user can assign themselves to or remove themselves from therole.For example, user A possesses the managed role, MR. The MR role has been lockedusing account inactivation through the command line. This means that user Acannot bind to the server because the nsAccountLock attribute is computed as“true” for that user. However, suppose the user was already bound and noticedthat he is now locked through the MR role. If there are no ACIs preventing him, theuser can remove the nsRoleDN attribute from his entry and unlock himself.
