Configuration Guide › SiteMinder Integration › SiteMinder Operations › How to Configure Access Roles

How to Configure Access Roles

Access roles enable centralized management of user privileges in external applications secured by SiteMinder. Identity Manager administrators can create and assign roles in the Identity Manager User Console that determine users’ access to applications outside of CA Identity Manager. For example, a Role Administrator may create roles in the User Console that control access to a finance application, and grant the ability to assign the roles to the Help Desk administrator. The Help Desk administrator can assign or revoke that role through the User Console.

Access roles are enabled through integration with SiteMinder. SiteMinder associates roles with policies to determine which users can access a protected resource and to deliver user-specific role and task information to protected resources.

Access roles require configuration in Identity Manager and SiteMinder. Two administrators are involved:

• The Identity Manager administrator creates access roles and tasks in Identity Manager. The default System Manager and Access Role Manager roles include these tasks.
• The SiteMinder administrator manages System and Domain objects in CA SiteMinder. The SiteMinder administrator must have System scope.

  Note: For more information, see the Policy Server Configuration Guide.

The following procedure outlines the steps to create an access role. Review these steps before configuring access roles for use with SiteMinder.

1. An Identity Manager administrator completes the following tasks:
   1. Enables access roles and tasks for use with SiteMinder.
   2. Creates access tasks.
   3. Creates an access role.
   4. Communicates role and task information to the SiteMinder administrator for the purpose of creating Siteminder role-based access control policies.
2. A SiteMinder administrator creates a role-based access control policy by completing the following steps:
   1. Assigning a user directory that is associated with one or more Identity Manager environments to a Policy Domain.
   2. Associating one or more Identity Manager environments with the Policy Domain in step 1.
   3. Creating realms and rules in the Policy Domain (if they do not already exist). The realms and rules should correspond to the resources to which the access roles will grant access.
   4. Creating policies and binding them to roles from the Identity Manager environment.
   5. (optional) Specifying responses which deliver entitlement information to the protected resources.

   Note: For detailed instructions on these steps, see the Policy Server Configuration Guide.

More information:

Enable Access Roles for Use with SiteMinder