This administrator use case illustrates the following situations:
This scenario involves three administrators.
Using the three administrators, the following scenarios are described:
The following terms are used throughout the use case:
Specifies how an administrator interacts with the Policy Server.
Specifies a functional area in which an administrator can execute tasks to manage Policy Server objects or tools.
Indicates whether administrator privileges extend to all policy objects or a subset of objects that are defined in an assigned workspace.
Determines the tasks that an administrator performs relative to a security category. Such as read, manage, propagate, or execute tasks.
Defines the complete set of privileges for the administrator. Rights are based on the security category, scope, and permissions.
The superuser is the administrator that was delegated system privileges when the connection to the external administrator user store was configured. The superuser can assign all categories, rights, and scope to any other Administrator.
From the Administrative UI, the superuser creates an administrator that is named Manager Admin. Initially, Manager Admin has no privileges until the superuser assigns them.
The superuser assigns the following privileges to Manager Admin:
GUI Allowed
|
Security Category |
Permissions* |
|---|---|
|
Agent Administration |
V, M |
|
Application Administration |
V, M, P |
|
Policy Administration |
V, M, P |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
Note: The Propagate permission allows one manager to assign the category to another administrator.
If Manager Admin logs in to the Administrative UI, they can view and modify all agents, applications, and domains in the policy store. If they create an administrator account, they can assign only Application Administration and Policy Administration security categories to that account.
The superuser wants to limit the scope of Manager Admin so that they can only manage a subset of policy data. The superuser first creates a workspace that is named Workspace1 with the following members:
|
Type |
Name |
|---|---|
|
Agent |
Agent1 |
|
Application |
Application1 |
|
Application |
Application2 |
|
Domain |
DomainB |
The superuser then edits the Administrator record for Manager Admin to assign Workspace1.
At this stage, if Manager Admin logs in they can now only view and modify Agent1, Application1, Application2, and policies in DomainB. Other agents, applications, and domains in the policy store do not appear in the Administrative UI.
The second part of this use case shows how an administrator with a specific set of privileges creates another administrator.
Manager Admin creates an administrator that is named Junior Admin. When Manager Admin goes to add security categories for Junior Admin, only the following items (for which Manager Admin has the propagate permission) are available:
Note: The propagate permission lets one administrator assign the category to another administrator.
Manager Admin proceeds to assign access methods and rights to Junior Admin as follows:
GUI Allowed
|
Security Category |
Permissions* |
|---|---|
|
Application Administration |
V |
|
Policy Administration |
V, M |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
At this stage, if Junior Admin logs in to the Administrative UI, they can view Application1 and Application2. They can view and modify DomainB (limited by default to the scope of Manager Admin).
Manager Admin wants to limit the scope of Junior Admin so that they can only manage a smaller subset of policy data. To do this, Manager Admin first creates a workspace that is named Workspace2 with the following members:
|
Type |
Name |
|---|---|
|
Application |
Application2 |
|
Domain |
DomainB |
Manager Admin then edits the Administrator record for Junior Admin to assign Workspace2.
At this stage, if Manager Admin logs in they can now only view Application2, and view and modify policies in DomainB. Other applications and domains in the policy store do not appear in the Administrative UI.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|