Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators

SiteMinder Administrators

This section contains the following topics:

SiteMinder Administrators Overview

How to Configure an External Administrator Store

How to Create an Administrator

Limit Administrator Account Scope Using Workspaces Overview

How to Create a Scoped Administrator

Administrator Use Cases

How to Create a Legacy Administrator

Disable an Administrator

Disable a Legacy Administrator

Restoring Administrator Access

How to Configure the Accessibility Mode for the Administrative UI

SiteMinder Administrators Overview

A CA SiteMinder® administrator is anyone who has access to Policy Server objects and tools.

You can configure multiple CA SiteMinder® administrator accounts so that different administrators can log in with the ability to manage different interfaces, resources, and features according to their different roles in an organization.

This fine-grained administrative model allows you to delegate the management of Policy Server objects and CA SiteMinder® tools across a few or many individuals in an organization.

A default CA SiteMinder® superuser account with full system privileges is created when you configure the policy store, which is the default source of administrator identities. This default configuration lets you manage the environment immediately after installing the software.

However, we recommend that you configure an external administrator user store, such as a corporate directory, and create additional administrator accounts whose privileges can be configured to delegate administrative authority.

Default Superuser Administrator

When you configure the policy store, a default superuser account is created. This account has the maximum system privileges, which you use for the following operations:

• Registering the Administrative UI with a Policy Server.
• Creating any other type of Policy Server object, including other administrator accounts.
• Using any of the Policy Server tools.
• Trusted Host administration.
• Managing the Policy Management API.

The default superuser account has the following credentials:

User Name

siteminder

Password

The password that you specified when configuring the policy store.

Note: For more information about configuring a policy store, see the Policy Server Installation Guide. For more information about registering an Administrative UI, see the Policy Server Installation Guide.

More information:

How to Register the Administrative UI

LDAP Directory Servers as a Policy or Key Store

Relational Databases as a Policy or Key Store

Administrator Accounts

Administrator accounts can be used to perform the following CA SiteMinder® administration tasks:

• Manage CA SiteMinder® objects using the Administrative UI
• Use Policy Server tools, such as XPSImport and XPSExport

Create Administrator accounts to delegate fine-grain privileges that determine the administrative capabilities available to that administrator. Specifically, Administrator accounts define the following properties:

Scope

Specifies whether the Administrator can access all CA SiteMinder® data or only those objects defined in an assigned administrative Workspace.

Access methods

Specifies what methods the Administrator can use to access and manage the CA SiteMinder® data.

Rights

Specifies what categories of CA SiteMinder® objects the Administrator can access, and whether they can only view or view and modify those objects.

This granularity allows you to create administrators and assign privileges to match the administrative roles in your organization.

Note: You can only create new Administrator accounts that are associated with administrative users in an external administrator store. However, Administrator accounts are automatically generated for Legacy Administrator records stored in the policy store to allow those administrators to access the Administrative UI.

More information:

How to Configure an External Administrator Store

Limit Administrator Account Scope Using Workspaces Overview

Administrator Use Cases

How to Create a Scoped Administrator

How to Create an Administrator

Legacy Administrator Accounts

Legacy Administrator accounts can be used to perform the following administrative tasks:

• Use Policy Server tools, such as smobjimport and smobjexport.
• Function as a Trusted Host Administrator. A Trusted Host Administrator has the right to run the host registration process from the CA SiteMinder® Agent host system. The registration process enables an Agent to communicate with the Policy Server.
• Use the Policy Management API.

  Note: If your environment includes a script or program that uses the Policy Management API, a Legacy Administrator account is required. Create a Legacy Administrator that has the authentication privileges to execute the functions through the Policy Management API.

Note: Legacy Administrators can also be used to access the Administrative UI if the policy store is configured as the source of administrator identities (the default). Once an external administrator store is configured, Legacy Administrator accounts can no longer be used to access the Administrative UI.

More information:

Administrator Store Options

Administrator Store Options

By default, the Administrative UI uses the policy store as its source of administrator identities. However, we recommend that you use an external administrator user store, such as a corporate directory, for further administrator accounts.

Consider the following factors when deciding where to store administrator identities:

• If you are configuring the Administrative UI with a single Policy Server, you can use the policy store to store administrator identities.
• If you are configuring the Administrative UI with multiple Policy Servers, you must use an external administrator store.
• If you store administrator identities in the policy store, you can only establish a new administrator record in the policy store by creating a Legacy Administrator.
• If you store administrator identities in an external store, you create Administrator accounts to locate administrator records in the external store.

  Note: You cannot create new Legacy Administrators or associate Administrator accounts with Legacy Administrator records to allow Administrative UI access once an external administrator store is configured.

• An external administrator store can be used to help ensure that multiple Administrative UI instances share the same set of administrators. By default, the Administrative UI uses the policy store that is configured with the registered Policy Server.

Note: For more information about installing the Administrative UI and configuring additional Policy Server connections, see the Policy Server Installation Guide.

More information:

How to Install the Administrative UI

How to Configure Additional Policy Server Connections