Previous Topic: Configuring Custom User Roles and Access Policies

Next Topic: Grant a Custom Role Access to CA Enterprise Log Manager

Create an Application User Group (Role)

You can create a new application user group to support the roles you need. Once you create a new application user group, you must create access policies for that group.

One case where new access policies are not needed for a new group is when that group is given memberships to existing groups. Consider the scenario where you need one role for individuals who are dedicated to creating data mapping and message parsing files, another role for individuals dedicated to creating suppression and summarization rules, and a third role for those who can perform either of these two tasks. You might define one application user group called AdminDMMP with a policy that grants create access to the Integration resource and another group called AdminSS with a policy that grants create access to the EventGrouping resource. You could then create a third group called AdminDMMPSS with memberships to the AdminDMMP group and the AdminSS group. This third group would automatically inherit the policies from the two membership groups.

Rather than creating new application groups or roles, you can expand the roles of the predefined Analyst and Auditor roles. For example, if you want Analysts to be able to create suppression and summarization rules and you want Auditors to be able to view these rules, you could create a CALM policy that grants the ability to create summarization and suppression rules and a scoping policy that grants the ability to view or edit custom rules and assign the Analyst role to those policies. You could then create a scoping policy that grants users the ability to view suppression and summarization rules and assign the Auditor group to that policy.

Only Administrators can create new roles.

To create a new application user group (role)

  1. Click the Administration tab and the User and Access Management subtab.
  2. Click Groups.
  3. Click the New Application Group button to the left of the Application Groups folder in the User Groups list.
  4. Provide the group name and description.
  5. If this new user group is to have access you have already defined for two or more user-defined application groups, select those application groups for membership. Otherwise, make no selection.

    Note: If this new group is composed of existing groups, existing policies for each of the component groups will apply to this group. No additional policies are required.

  6. Click Save.
  7. Click Close.

More information:

Step 2: Create the PCI-Analyst Role

Sample Policies for Suppression and Summarization Rules