Previous Topic: How to Create an AdministratorNext Topic: How to Create a Scoped Administrator


Limit Administrator Account Scope Using Workspaces Overview

Administrator accounts are assigned rights to one or more security categories that define their administrative authority in the Administrative UI, such as managing authentication schemes. By default an Administrator account has access to every policy store object related to an assigned security category.

Workspaces define a subset of policy store objects. You can assign a workspace to one or more Administrator accounts to filter the objects that are available to them, further controlling the scope of their administrative authority. An Administrator account whose administrative authority is restricted by an assigned workspace is therefore known as a scoped administrator.

Note: You cannot assign workspaces to Legacy Administrator accounts — administrative scoping using workspaces is not related to domain scope limitations for Legacy Administrators.

Workspace Objects

A workspace object defines a subset of CA SiteMinder® policy data that can be used to limit the scope of an Administrator to which it is assigned. A workspace can contain any top-level policy object (for example, a domain, authentication scheme, or host configuration object).

Note: The actual content of the workspace consists of the top-level contents plus any child objects (for example, realms under a domain) and some required objects, which are automatically included.

The contents of a workspace are dynamic:

More information:

Create the Administrator Account

Scoped Administrators

A scoped administrator is an Administrator account whose administrative authority in the Administrative UI is restricted to the subset of policy objects defined by an assigned workspace.

A scoped administrator cannot manage all the objects in the policy store for which they have rights. Instead, the Administrative UI appears and all policy management calls behave as if the policy store contains only the objects (and child objects) in the assigned workspace.

If a scoped administrator adds a new top-level object, that object immediately becomes available to all other similarly scoped administrators.

Scoped administrators that have the rights to create new administrators can only create administrators with the same or a more restrictive workspace than theirs. If they create new workspaces to further scope the new administrator, this new workspace object is added to their current workspace. The administrator can then assign their current workspace or the new workspace to the new administrator.

If the new administrator adds an object, the original administrator can also view it. This means that the effective set of objects that the original administrator can view includes any new objects added to workspaces that they created.

Note: Only Administrator accounts can be scoped using workspaces. Legacy Administrators cannot be scoped. However, Administrator accounts associated with Legacy Administrator records in the policy store can be scoped.

More information:

Create the Administrator Account