Secure Global Desktop 4.40 Administration Guide > Getting Started > Organizing Your Users, Applications, and Application Servers

Organizing Your Users, Applications, and Application Servers

Read This Topic to...
Discover how you can organize your resources in SGD.

SGD is built on the following principles of directory services:

Users, applications and application servers are represented by objects in a directory. The objects are organized into a hierarchy representing your organization.
Different types of object have different configuration settings, known as attributes.
The relationships between objects are important and have meanings.
Each object is identified using a unique name.

SGD includes a number of different object types. The set of objects available, and the attributes for each object, are collectively called the schema. SGD objects are based on the commonly-used LDAP version 3 schema. These objects have been extended, using the standard method of doing so, to support SGD functionality. For more information on the LDAP schema, see RFC 2256.

You use objects to represent the different parts of your organization. Together, the objects form your organizational hierarchy. SGD uses a local repository to store all the objects in the organizational hierarchy.

In the SGD Administration Console, you use the following tabs to manage the organizational hierarchy:

User Profiles
Applications
Application Servers

The following sections describe these tabs, the objects that they can contain, and how they are used. The System Objects organization is also described.

On the command line, you manage the organizational hierarchy with the tarantella object family of commands. You can also populate the organizational hierarchy using a batch script.

The User Profiles Tab

The User Profiles tab is where you manage SGD users. Use the objects on this tab to control users' SGD-related settings and the applications that they can access through SGD.

By default, this tab contains two objects, an Organization object called o=organization and a Domain Component object called dc=com. These are the top-level objects in the organizational hierarchy. You can rename or delete these objects, or create new top-level objects. You create all the objects you need for managing users within these top-level object types.

You can use other objects, such an Organizational Unit (OU) object, to subdivide your organization. For example, you might want to use an OU for each department in your organization. An OU can contain other OUs, to further subdivide your organization.

User Profile objects are used to represent a user (or a group of users if you are using LDAP or Active Directory authentication).

Organization, OU and User Profile objects have an Assigned Applications tab. You use this tab to assign applications to users. The applications listed on the Assigned Applications tab are the applications a user can access through SGD.

It is important to design your organizational hierarchy. Here are some tips:

The most important influence on the design of the hierarchy is the authentication mechanisms you use.
For example, if you use UNIX system authentication, you can structure the hierarchy however you like. However, with LDAP authentication, you might need to mirror part of your LDAP directory structure.
It is not always best to mirror your organization chart.
Sometimes it is a good approach to use OUs to represent departments or offices. However, if you organization is restructured, you have to re-organize your hierarchy. This can cause running application sessions to become orphaned and cached passwords to become invalid.
Use inheritance as much as possible.
The settings for User Profile objects and OU objects can be inherited from the object's parent in the organizational hierarchy. For example if everyone in a department needs an application, assign the application to the OU that represents the department. Every user belonging to that OU gets the applications assigned to the OU.
Do not create user profile objects unnecessarily.
User profile objects are used to give users access to particular applications and customized settings. Depending on the authentication mechanisms you are using, a default user profile is often used and this might be sufficient for your needs. This is particularly true if you use an LDAP directory to assign applications to users.
Use a naming convention for each object type.
For user profile objects, it is best to use the person's full name, for example "Indigo Jones".

The following table lists the object types that are available on the User Profiles tab and how they are used.

Object Type	Description
Directory: Organization	Use an Organization object for things that apply to your organization as a whole. Organization objects are always at the top of the organizational hierarchy. Organization objects can contain OU or User Profile objects. On the command line, you create an Organization object with the `tarantella object new_org` command. Organization objects have an `o=` naming attribute.
Directory (light): Domain Component	Use a Domain Component object to replicate a directory structure, usually a Microsoft Active Directory structure, within the SGD organizational hierarchy. Domain Component objects are similar to Organization objects, but do not include additional SGD-specific attributes or allow you to assign applications. This is why they are called Directory (light) objects. Domain Component objects can only appear at the top of the organizational hierarchy, or within another Domain Component object. Domain Component objects can contain OU, Domain Component, Active Directory Container, or User Profile objects. On the command line, you create a Domain Component object with the `tarantella object new_dc` command. Domain Component objects have a `dc=` naming attribute.
Directory: Organizational Unit	Use an OU object to distinguish different departments, sites or teams in your organization. An OU can be contained in an Organization or a Domain Component object. On the command line, you create an OU object with the `tarantella object new_orgunit` command. OU objects have an `ou=` naming attribute.
Directory (light): Active Directory Container	Use an Active Directory Container object to replicate your Microsoft Active Directory structure within the SGD organizational hierarchy. Active Directory Container objects are similar to OUs, but do not include additional SGD-specific attributes or allow you to assign applications. This is why they are called Directory (light) objects. An Active Directory Container object can be contained in an Organization, an OU, or a Domain Component object. On the command line, you create an Active Directory Container object with the `tarantella object new_container` command. Active Directory Container objects have a `cn=` naming attribute.
User Profile	Use a User Profile object to represent a user in your organization, and give that user access to applications. Depending on the authentication mechanisms used, users might be able to log in to SGD even if they do not have a User Profile object. To use inheritance, create User Profile objects within OUs. This makes administration easier and more efficient. On the command line, you create a User Profile object with the `tarantella object new_person` command. User Profile objects can have a `cn=` (common name), a `uid=` (user identification), or a `mail=` (mail address) naming attribute.

The Applications Tab

The Applications tab is where you configure and manage the applications and documents that users access through SGD. Application objects are always created in the applications organization. On the command line, this organization is called o=applications.

You can use OU objects to subdivide the applications organization. For example, you might want to use an OU to contain the applications for a department in your organization.

Use a naming convention for each application or document object type. The name of the application or document object is displayed to users.

Application, Group, and OU objects have an Assigned User Profiles tab. You use this tab to assign applications to users. The users listed on the Assigned User Profiles tab are the users that can access the application through SGD.

Application objects have a Hosting Application Servers tab. You use this tab to assign application servers to applications. The application servers listed on the Hosting Application Servers tab are the application servers that can run the application.

The following table lists the object types that are available on the Applications tab and how they are used.

Object Type	Description
Directory: Organizational Unit	Use an OU object to divide the applications into different departments, sites, or teams in your organization. On the command line, you create an OU object with the `tarantella object new_orgunit` command. OU objects have an `ou=` naming attribute.
Group	Use a Group object to associate groups of applications with a user profile. Group objects are not the same as OUs. Applications can only belong to one OU, but can be member of many different groups. Members of a group can be moved or renamed without affecting group membership. On the command line, you create a Group object with the `tarantella object new_group` command. Group objects have a `cn=` naming attribute.
X Application	Use an X Application object to give an X11 graphical application to users. See Configuring X Applications for more details. On the command line, you create an X Application object with the `tarantella object new_xapp` command. X Application objects have a `cn=` naming attribute.
Windows Application	Use a Windows Application object to give a Microsoft Windows graphical application to users. See Configuring Windows Applications for more details. On the command line, you create a Windows Application object with the `tarantella object new_windowsapp` command. Windows Application objects have a `cn=` naming attribute.
Character Application	Use a Character Application object to give a VT420, Wyse 60 or SCO Console character application to users. See Configuring Character Applications for more details. On the command line, you create a Character Application object with the `tarantella object new_charapp` command. Character Application objects have a `cn=` naming attribute.
Document	Use a Document object to give a document to users. A Document object can refer to any URL. This can be any document on the web, including Sun StarOffice documents, or Adobe Acrobat files. A Document can also refer to a web application. It is the user's client device that actually fetches the URL and so firewalls or other security measures might prevent a user from accessing a URL. On the command line, you create a Document object with the `tarantella object new_doc` command. Document objects have a `cn=` naming attribute.
3270 Application	Use a 3270 Application object to give a 3270 application to users. SGD uses the third-party emulator application TeemTalk for Unix for 3270 applications. See the TeemTalk for Unix User's Guide (in PDF format) for details. The first time a user runs the emulator, the `tta3270.nv` configuration file is created in the user's home directory on the SGD host. On the command line, you create a 3270 Application object with the `tarantella object new_3270app` command. 3270 Application objects have a `cn=` naming attribute.
5250 Application	Use a 5250 Application object to give a 5250 application to users. SGD uses the third-party emulator application TeemTalk for Unix for 5250 applications. See the TeemTalk for Unix User's Guide (in PDF format) for details. The first time a user runs the emulator, the `teemx320.nv` configuration file is created in the user's home directory on the SGD host. On the command line, you create a 5250 Application object with the `tarantella object new_5250app` command. 5250 Application objects have a `cn=` naming attribute.

The Application Servers Tab

The Application Servers tab is where you configure and manage the application servers that run the applications that users can access through SGD. Application Server objects are always contained in the application servers organization. On the command line, this organization is called o=appservers.

You can use OU objects to subdivide the application servers organization. For example, you might want to use an OU to contain the application servers on a particular site.

Application Server objects have a Hosted Applications tab. You use this tab to assign applications to application servers. The applications listed on the Hosted Applications tab are the applications that are configured to run on the application server.

The following table lists the object types that are available on the Applications Server tab and how they are used.

Object Type	Description
Directory: Organizational Unit	Use an OU object to divide the application servers into different departments, sites, or teams in your organization. On the command line, you create an OU object with the `tarantella object new_orgunit` command. OU objects have an `ou=` naming attribute.
Group	Use a Group object to associate similar application servers for application load balancing. Group objects are not the same as OUs. Application servers can only belong to one OU, but can be member of many different groups. Members of a group can be moved or renamed without affecting group membership. On the command line, you create a Group object with the `tarantella object new_group` command. Group objects have a `cn=` naming attribute.
Application Server	Use an Application Server object to represent an application server that is used to run applications through SGD. Application servers are used with application load balancing. If you assign two or more Application Server objects to an application object, SGD chooses which application server to use, based on the load across the application servers. On the command line, you create an Application Server object with the `tarantella object new_host` command. Application Server objects have a `cn=` naming attribute.

The System Objects Organization

The System Objects organization contains objects that are essential for the running and maintenance of SGD. On the command line, the System Objects organization is displayed as o=Tarantella System Objects.

The System Objects organization contains the Global Administrators role object. This object determines who is a Secure Global Desktop Administrator, and who can run the SGD administration tools.

The System Objects organization also contains profile objects. These are default user profile objects for use with the various authentication mechanisms supported by SGD.

You can edit objects in the System Objects organization, but you cannot add, delete, move, or rename objects.

Related Topics
Populating the SGD Organizational Hierarchy Using a Batch Script