Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › Limit Administrator Account Scope Using Workspaces Overview

Limit Administrator Account Scope Using Workspaces Overview

Administrator accounts are assigned rights to one or more security categories that define their administrative authority in the Administrative UI, such as managing authentication schemes. By default an Administrator account has access to every policy store object related to an assigned security category.

Workspaces are subsets of policy store objects. Workspaces limit the objects which are available to an administrator account. Administrator accounts with such restrictions are named scoped administrators.

Note: You cannot assign workspaces to any Legacy Administrator accounts — administrative scoping using workspaces is not related to domain scope limitations for Legacy Administrators.

Workspace Objects

Workspaces can contain any top-level policy object (for example, a domain, authentication scheme, or host configuration object).

Note: The actual content of the workspace consists of the top-level contents plus any child objects. Examples include realms under a domain, and any required objects (which are automatically included).

The contents of a workspace are dynamic:

• The contents of a workspace can be modified at any time. Any new objects are available immediately to all administrators assigned to the workspace. All removed objects are no longer available to administrators assigned to the workspace.
• If a scoped administrator has the right to modify an object type, that administrator can create objects in the workspace. These new objects are immediately available to all administrators assigned to the workspace.

More information:

Create the Administrator Account

Scoped Administrators

A scoped administrator cannot manage all the objects in the policy store for which they have rights. The Administrative UI appears to contain only the objects in the assigned workspace.

If a scoped administrator adds a new top-level object, that object immediately becomes available to all other similarly scoped administrators.

Those scoped administrators that have the rights to create new administrators can only create administrators with the same or a more restrictive workspace than theirs. If they create new workspaces to further scope the new administrator, this new workspace object is added to their current workspace. The administrator can then assign their current workspace or the new workspace to the new administrator.

If the new administrator adds an object, the original administrator can also view it. The effective set of objects that the original administrator can view includes any new objects added to workspaces that they created.

Note: Only the Administrator accounts can be scoped using workspaces. Legacy Administrators cannot be scoped. However, Administrator accounts associated with any Legacy Administrator records in the policy store can be scoped.

More information:

Create the Administrator Account