Administration GuideCustom Roles and Policies › Example: Allow a Non-Administrator to Manage Archives

Previous Topic: Delete an Access Filter and Obligation Policy

Next Topic: Restricting Data Access for a User: Win-Admin Scenario

Example: Allow a Non-Administrator to Manage Archives

Suppose you want to allow a non-Administrator group to manage auto-archiving. You could create a group called ArchiveAdministrator, a CALM policy that allows the edit action on the resource database. This allows read access on the archive catalog of databases for querying, write access on the archive catalog for ReCatalog, and the ability to use LMArchive utility for manual archiving or the restore-ca-elm shell script for restoring auto-archived databases.

To allow specified non-Administrators to handle archiving

  1. Create a role called ArchiveAdministrator.
    1. Select the Administration tab and then the User and Access Management subtab.
    2. Select Groups.
    3. Click New Application Group.
    4. Enter ArchiveAdministrator as the name.
    5. Click Save.

      The Application Group, or role, ArchiveAdministrator is created.

    6. Click Close.
  2. Create a CALM policy to allow edit access to the database resource.
    1. Click Access Policies.
    2. Click New Access Policy to create a new CALM policy.
    3. Type ArchiveAdministrator policy in the Name field.
    4. Type ArchiveAdministrator can run the LMArchive utility and the restore-ca-elm shell script for the description.
    5. For Identities, select Application Group as the Type, click Search Identities, and then click Search.
    6. Select ArchiveAdministrator and then click the move arrow.
    7. Type Database under Add resource and click Add.
    8. Select edit as the Action.

    ArchiveAdministrator group can edit database; this is all that is needed to manage archiving.

    1. Click Save. Click Close
  3. Test the policy and verify that the result is ALLOW.

    Verify the ALLOW is displayed when you run a permission check.

  4. Grant the ArchiveAdministrator role the ability to log on to CA Enterprise Log Manager.
    1. Click CALM under Access Policies.
    2. Select CALM Application Access.
    3. Under Identities, search for the Application Group ArchiveAdministrator, and move it to Selected Identities.

    ArchiveAdministrator can log onto the CA Enterprise Log Manager.

    1. Click Save. Click Close. Click Close.

      The User and Access Management tab appears with the buttons in the left pane.

  5. Assign the ArchiveAdministrator role to one or more users.
    1. Click Users.
    2. Enter the name of a person to whom you want to assign this role as the Value under Search Users and click Go.

      The selected user name appears under the Users folder.

    3. Select the link for the selected user.
    4. Click Add Application User Details.
    5. Move Archive Administrator to the Selected User Groups list.

    Move ArchiveAdministrator to the Selected User Groups area.

    1. Click Save. Click Close.
    2. Repeat for each user to whom you want to assign this role.
    3. Click Close.
  6. (Optional) Review the results from CA Enterprise Log Manager.
    1. Click Log Out to log out as the Administrator.
    2. Log in as a user to whom you assigned the role ArchiveAdministrator.
    3. Click the Administration tab, Log Collection subtab.
    4. Select Archive Catalog Query.
    5. Observe that you use the Query and ReCatalog buttons.
  7. (Optional) Run the restore-ca-elm restore script with the credentials of the user defined with the ArchiveAdministrator role to verify the policy works as expected.

More information:

Restore Auto-Archived Files