How to Create a Scoped Administrator

Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › How to Create a Scoped Administrator

How to Create a Scoped Administrator

Administrator accounts can be configured with fine-grained privileges that determine the administrative capabilities available to that administrator.

Administrator accounts are assigned rights to one or more security categories that define their administrative authority in the Administrative UI, such as managing authentication schemes. By default an Administrator account has access to every object related to an assigned security category.

Workspaces define a subset of objects. Assigning any workspaces to the Administrator accounts limits the objects that are available to them. This workspace controls the scope of their authority. These Administrator accounts are named scoped administrators.

Diagram showing the required steps to create a scoped administrator

Scoped Administrator Guidelines

A scoped administrator cannot manage all the objects in the policy store for which they have rights. The Administrative UI appears to contain only the objects that are defined in the assigned workspace.

If a scoped administrator adds a new top-level object, that object immediately becomes available to all other similarly scoped administrators.

Scoped administrators that have the rights to create new administrators can only create administrators with the same or a more restrictive workspace than theirs. If scoped administrators create new workspaces to further scope the new administrator, this new workspace object is added to their current workspace. The administrator can then assign their current workspace or the new workspace to the new administrator.

If the new administrator adds an object, the original administrator can also view it. The effective set of objects that the original administrator can view includes any new objects added to workspaces that they created.

A scoped administrator cannot manage all the objects in the policy store for which they have rights. The Administrative UI appears to contain only the objects in the assigned workspace.

If a scoped administrator adds a new top-level object, that object immediately becomes available to all other similarly scoped administrators.

Important! An Administrator can only create another Administrator with the same or lesser privileges. For example, if an Administrator has GUI and reports privileges, they can create another Administrator with those privileges, but not one with local API privileges. Similarly, an Administrator can only create an Administrator with the same or lesser scope (as defined by an assigned workspace).

Note: Only Administrator accounts can be scoped using workspaces. Legacy Administrators cannot be scoped. However, Administrator accounts associated with any Legacy Administrator records in the policy store can be scoped.

When configuring a scoped administrator, consider the following attributes of that administrator:

The scope of the Administrator. Whether the Administrator can manage all policy data or a subset of policy data that is defined in a workspace.
The rights the Administrator requires to perform their job. Identifying these rights can help you delegate the appropriate security category to the administrator.
Whether the Administrator is responsible for application security policies.

Create a Workspace

You create a workspace to define a subset of top-level policy objects (for example, a domain or authentication scheme) for which a scoped administrator has administrative privileges.

Note: The actual content of the workspace consists of the top-level contents plus any child objects. Examples include realms under a domain, and any required objects (which are automatically included).

The contents of a workspace are dynamic:

The contents of a workspace can be modified at any time. Any new objects are available immediately to all administrators assigned to the workspace. All removed objects are no longer available to administrators assigned to the workspace.
If a scoped administrator has the right to modify an object type, that administrator can create objects in the workspace. These new objects are immediately available to all administrators assigned to the workspace.

Follow these steps:

Log in to the Administrative UI using the CA SiteMinder® superuser or other administrator account with appropriate privileges.
Click Administration, Administrator, Workspaces, Create Workspaces.
The Create Workspace page appears.
Type the name and a description of the workspace in the fields in the General section.
Add objects that define the required subset of policy data to the workspace in the Members section:
Note: Some commonly used objects are added to the workspace and appear in the Members list by default; you can remove them if necessary.
1. Click Lookup.
  The Select Workspace Contents page appears.
2. Select the type of objects that you want to add to the workspace from the Search for objects of type drop-down menu. Optionally, narrow the search to specific objects by Name or Description (or both).
3. Click Search.
  A list of matching objects appears.
  
  Note: If the administrator account with which you are logged in is itself scoped, the list of matching objects is limited to those objects available to you.
4. Select the object or objects you want to add to your workspace and click Select.
  The Create Workspace page reopens.
(Optional) Set administrator privileges for workspace members to read-only by setting the corresponding Read-Only check boxes.
Click Submit.
The Create Workspace task is submitted for processing. CA SiteMinder® verifies that the workspace is consistent (all required objects that are related to objects in the workspace are present in the workspace). If not, the missing objects are added and an information dialog appears indicating that some objects were automatically added to make the workspace consistent.

More information:

Limit Administrator Account Scope Using Workspaces Overview

Create an Administrator and Assign a Workspace

Create a scoped Administrator by creating an Administrator account and assigning a workspace that defines the scope of the objects that it can administer.

Follow these steps:

Log in to the Administrative UI using the superuser or other administrator account with appropriate privileges.
Click Administration, Administrator.
Click Administrators.
Click Create Administrator.
Click Lookup under General.
Specify search criteria and click Search.
Pick the administrator that you want and click Select.
Select a workspace that defines the subset of objects to which the Administrator is scoped from the Workspace drop-down list.
Do one of the following tasks:
- To delegate all rights, select Super User and click Submit.
- To delegate fine-grained privileges, go to the next step.
Specify how the administrator is permitted to interact with the Policy Server in the Access Methods section. Select the methods that administrator requires for their role.
Example: If an administrator is going to use the XPSImport and XPSExport tools, select Import Allowed and Export Allowed.
Click Add in the Rights section.
Select the security categories that you want for the administrator and click OK.
Note: Security categories comprise one or more tasks that correspond to specific objects.
Select the permissions (Read, Right, Modify, and Propagate) to apply to the security categories you added in the Rights section.
Click Submit.
The scoped Administrator is created.

Verify that the Administrator is Scoped

Verify that the new Administrator account only has access to the scoped subset of objects.

Follow these steps:

Log in to the Administrative UI using the scoped Administrator account.
Explore the Administrative UI. Verify that only the scoped subset of objects from the workspace appears in the Administrative UI.