Administration Guide › Custom Roles and Policies › User Role Planning

User Role Planning

If the predefined application user groups, Administrator, Analyst, and Auditor, are insufficient for your needs, you can create custom roles with new application user groups. For example, to assign a small group of individuals to manage user accounts, where these individuals have no access to unrelated functionality in the CA Enterprise Log Manager, you could define a UserAccountAdministrator role, create a scoping policy for that role, add that role to the CALM Application Access Policy, and assign that role to the users who are to manage user accounts.

User planning for CA Enterprise Log Manager involves the following steps:

• Determining the number of users needed to administer, analyze, and audit CA Enterprise Log Manager
• Identifying the users to grant CA Enterprise Log Manager access

If you are considering creating custom roles with associated access policies, consider the following approach:

• Identify the role to assign each CA Enterprise Log Manager user
• Identify the type of access to CA Enterprise Log Manager resources is required for each role

You can also consider the following alternatives to user-defined roles (application groups):

• Configure dynamic user group policies that create dynamic user groups.
• Create global groups and treat them as application groups. That is, assign them to users and assign them to policies as Identities.

  This approach may be useful if policies are created for the purpose of restricting access by geographical location and you want the same users to have the same level of rights on multiple CA products. For example, a global group for Location-A_Admin could be assigned to users that were to administer several CA products at Location-A. Policies for each CA product could be created that grant administrative rights to the servers on which that product was installed in Location-A.

More information:

Role-Based Access

Create a Global Group