Previous Topic: Protecting the Administrative UI with SiteMinderNext Topic: How to Configure an External Administrator Store


SiteMinder Administrators

This section contains the following topics:

SiteMinder Administrators Overview

How to Configure an External Administrator Store

How to Create an Administrator

Limit Administrator Account Scope Using Workspaces Overview

How to Create a Scoped Administrator

Administrator Use Cases

How to Create a Legacy Administrator

Disable an Administrator

Disable a Legacy Administrator

Restoring Administrator Access

How to Configure the Accessibility Mode for the Administrative UI

SiteMinder Administrators Overview

A CA SiteMinder® administrator is anyone who has access to Policy Server objects and tools.

You can configure multiple CA SiteMinder® administrator accounts so that different administrators can log in with the ability to manage different interfaces, resources, and features according to their different roles in an organization.

This fine-grained administrative model allows you to delegate the management of Policy Server objects and CA SiteMinder® tools across a few or many individuals in an organization.

A default CA SiteMinder® superuser account with full system privileges is created when you configure the policy store, which is the default source of administrator identities. This default configuration lets you manage the environment immediately after installing the software.

However, we recommend that you configure an external administrator user store, such as a corporate directory, and create additional administrator accounts whose privileges can be configured to delegate administrative authority.

Default Superuser Administrator

When you configure the policy store, a default superuser account is created. This account has the maximum system privileges, which you use for the following operations:

The default superuser account has the following credentials:

User Name

siteminder

Password

The password that you specified when configuring the policy store.

Note: For more information about configuring a policy store, see the Policy Server Installation Guide. For more information about registering an Administrative UI, see the Policy Server Installation Guide.

More information:

How to Register the Administrative UI

LDAP Directory Servers as a Policy or Key Store

Relational Databases as a Policy or Key Store

Administrator Accounts

Administrator accounts can be used to perform the following CA SiteMinder® administration tasks:

Create Administrator accounts to delegate fine-grain privileges that determine the administrative capabilities available to that administrator. Specifically, Administrator accounts define the following properties:

Scope

Specifies whether the Administrator can access all CA SiteMinder® data or only those objects defined in an assigned administrative Workspace.

Access methods

Specifies what methods the Administrator can use to access and manage the CA SiteMinder® data.

Rights

Specifies what categories of CA SiteMinder® objects the Administrator can access, and whether they can only view or view and modify those objects.

This granularity allows you to create administrators and assign privileges to match the administrative roles in your organization.

Note: You can only create new Administrator accounts that are associated with administrative users in an external administrator store. However, Administrator accounts are automatically generated for Legacy Administrator records stored in the policy store to allow those administrators to access the Administrative UI.

More information:

How to Configure an External Administrator Store

Limit Administrator Account Scope Using Workspaces Overview

Administrator Use Cases

How to Create a Scoped Administrator

How to Create an Administrator

Legacy Administrator Accounts

Legacy Administrator accounts can be used to perform the following administrative tasks:

Note: Legacy Administrators can also be used to access the Administrative UI if the policy store is configured as the source of administrator identities (the default). Once an external administrator store is configured, Legacy Administrator accounts can no longer be used to access the Administrative UI.

More information:

Administrator Store Options

Administrator Store Options

By default, the Administrative UI uses the policy store as its source of administrator identities. However, we recommend that you use an external administrator user store, such as a corporate directory, for further administrator accounts.

Consider the following factors when deciding where to store administrator identities:

Note: For more information about installing the Administrative UI and configuring additional Policy Server connections, see the Policy Server Installation Guide.

More information:

How to Install the Administrative UI

How to Configure Additional Policy Server Connections