Previous Topic: Environment and Task Level Workflow ApprovalsNext Topic: Deploy Delegated Administration for Roles


Deploy Delegated Administration for Users, Groups and Organizations

Delegated administration is the management of users and their entitlements by having different CA IdentityMinder users perform the functions of modifying, assigning, and using a role.

Note: Delegation models must be carefully constructed to ensure good performance and scalability in your CA IdentityMinder implementation.

Delegation is enforced by scope rules, which are defined in member and admin policies for admin roles. A scope rule determines the objects on which a role member can use the role. For example, a scope rule may enable a User Manager to manage users in his department, but not in other departments.

Generally, scope rules should reflect the logical structure of the user store. For example, in a hierarchical LDAP user store, scope may be defined by organizations. In a relational database, scope can be defined using attributes such as department ID.

Note the following when deploying delegated administration for users, groups, and organizations: