This section contains the following topics:
SiteMinder Administrators Overview
How to Configure an External Administrator Store
How to Create an Administrator
Limit Administrator Account Scope Using Workspaces Overview
How to Create a Scoped Administrator
How to Create a Legacy Administrator
Disable a Legacy Administrator
Restoring Administrator Access
How to Configure the Accessibility Mode for the Administrative UI
A CA SiteMinder® administrator is anyone who has access to Policy Server objects and tools.
You can configure multiple CA SiteMinder® administrator accounts so that different administrators can log in with the ability to manage different interfaces, resources, and features according to their different roles in an organization.
This fine-grained administrative model allows you to delegate the management of Policy Server objects and CA SiteMinder® tools across a few or many individuals in an organization.
A default CA SiteMinder® superuser account with full system privileges is created when you configure the policy store, which is the default source of administrator identities. This default configuration lets you manage the environment immediately after installing the software.
However, we recommend that you configure an external administrator user store, such as a corporate directory, and create additional administrator accounts whose privileges can be configured to delegate administrative authority.
When you configure the policy store, a default superuser account is created. This account has the maximum system privileges, which you use for the following operations:
The default superuser account has the following credentials:
siteminder
The password that you specified when configuring the policy store.
Note: For more information about configuring a policy store, see the Policy Server Installation Guide. For more information about registering an Administrative UI, see the Policy Server Installation Guide.
Administrator accounts can be used to perform the following CA SiteMinder® administration tasks:
Create Administrator accounts to delegate fine-grain privileges that determine the administrative capabilities available to that administrator. Specifically, Administrator accounts define the following properties:
Specifies whether the Administrator can access all CA SiteMinder® data or only those objects defined in an assigned administrative Workspace.
Specifies what methods the Administrator can use to access and manage the CA SiteMinder® data.
Specifies what categories of CA SiteMinder® objects the Administrator can access, and whether they can only view or view and modify those objects.
This granularity allows you to create administrators and assign privileges to match the administrative roles in your organization.
Note: You can only create new Administrator accounts that are associated with administrative users in an external administrator store. However, Administrator accounts are automatically generated for Legacy Administrator records stored in the policy store to allow those administrators to access the Administrative UI.
Legacy Administrator accounts can be used to perform the following administrative tasks:
Note: If your environment includes a script or program that uses the Policy Management API, a Legacy Administrator account is required. Create a Legacy Administrator that has the authentication privileges to execute the functions through the Policy Management API.
Note: Legacy Administrators can also be used to access the Administrative UI if the policy store is configured as the source of administrator identities (the default). Once an external administrator store is configured, Legacy Administrator accounts can no longer be used to access the Administrative UI.
By default, the Administrative UI uses the policy store as its source of administrator identities. However, we recommend that you use an external administrator user store, such as a corporate directory, for further administrator accounts.
Consider the following factors when deciding where to store administrator identities:
Note: You cannot create new Legacy Administrators or associate Administrator accounts with Legacy Administrator records to allow Administrative UI access once an external administrator store is configured.
Note: For more information about installing the Administrative UI and configuring additional Policy Server connections, see the Policy Server Installation Guide.
Copyright © 2013 CA.
All rights reserved.
|
|