Configuration Guide › CA SiteMinder Integration › SiteMinder Operations › How to Configure Access Roles

How to Configure Access Roles

Access roles enable centralized management of user privileges in external applications that SiteMinder has secured. CA IdentityMinder administrators can create and assign roles in the CA IdentityMinder User Console that determine access to users to applications outside of CA IdentityMinder. For example, a Role Administrator may create roles in the User Console that control access to a finance application and grant the ability to assign the roles to the Help Desk administrator. The Help Desk administrator can assign or revoke that role through the User Console.

Access roles are enabled through integration with SiteMinder. SiteMinder associates roles with policies to determine which users can access a protected resource and to deliver user-specific roles and task information to protected resources.

Access roles require configuration in CA IdentityMinder and SiteMinder. Two administrators are involved:

• The CA IdentityMinder administrator creates access roles and tasks in CA IdentityMinder. The default System Manager and Access Role Manager roles include these tasks.
• The SiteMinder administrator manages System and Domain objects in CA SiteMinder. The SiteMinder administrator must have System scope.

  Note: For more information, see the Policy Server Configuration Guide.

The following procedure outlines the steps to create an access role. Review these steps before configuring access roles for use with SiteMinder.

1. A CA IdentityMinder administrator completes the following tasks:
   1. Enables access roles and tasks for use with SiteMinder.
   2. Creates access tasks.
   3. Creates an access role.
   4. Communicates role and task information to the SiteMinder administrator for the purpose of creating SiteMinder role-based access control policies.
2. A SiteMinder administrator creates a role-based access control policy by completing the following steps:
   1. Assigning a user directory that is associated with one or more CA IdentityMinder environments to a Policy Domain.
   2. Associating one or more CA IdentityMinder environments with the Policy Domain in step 1.
   3. Creating realms and rules in the Policy Domain (if they do not exist). The realms and rules must correspond to the resources to which the access roles grants access.
   4. Creating policies and binding them to roles from the CA IdentityMinder environment.
   5. (optional) Specifying responses which deliver entitlement information to the protected resources.

   Note: For detailed instructions on these steps, see the Policy Server Configuration Guide.

More information:

Enable Access Roles for Use with SiteMinder