CA Identity Manager Configuration Guide › CA CA SiteMinder® Integration › CA SiteMinder® Operations › How to Configure Access Roles

How to Configure Access Roles

Access roles enable centralized management of user privileges in external applications that CA SiteMinder® has secured. CA Identity Manager administrators can create and assign roles in the CA Identity Manager User Console that determine access to users to applications outside of CA Identity Manager. For example, a Role Administrator may create roles in the User Console that control access to a finance application and grant the ability to assign the roles to the Help Desk administrator. The Help Desk administrator can assign or revoke that role through the User Console.

Access roles are enabled through integration with CA SiteMinder®. CA SiteMinder® associates roles with policies to determine which users can access a protected resource and to deliver user-specific roles and task information to protected resources.

Access roles require configuration in CA Identity Manager and CA SiteMinder®. Two administrators are involved:

• The CA Identity Manager administrator creates access roles and tasks in CA Identity Manager. The default System Manager and Access Role Manager roles include these tasks.
• The CA SiteMinder® administrator manages System and Domain objects in CA CA SiteMinder®. The CA SiteMinder® administrator must have System scope.

  Note: For more information, see the Policy Server Configuration Guide.

The following procedure outlines the steps to create an access role. Review these steps before configuring access roles for use with CA SiteMinder®.

1. A CA Identity Manager administrator completes the following tasks:
   1. Enables access roles and tasks for use with CA SiteMinder®.
   2. Creates access tasks.
   3. Creates an access role.
   4. Communicates role and task information to the CA SiteMinder® administrator for the purpose of creating CA SiteMinder® role-based access control policies.
2. A CA SiteMinder® administrator creates a role-based access control policy by completing the following steps:
   1. Assigning a user directory that is associated with one or more CA Identity Manager environments to a Policy Domain.
   2. Associating one or more CA Identity Manager environments with the Policy Domain in step 1.
   3. Creating realms and rules in the Policy Domain (if they do not exist). The realms and rules must correspond to the resources to which the access roles grants access.
   4. Creating policies and binding them to roles from the CA Identity Manager environment.
   5. (optional) Specifying responses which deliver entitlement information to the protected resources.

   Note: For detailed instructions on these steps, see the Policy Server Configuration Guide.

More information:

Enable Access Roles for Use with SiteMinder