This administrator use case illustrates the following:
This scenario involves three administrators
Using the three administrators, the following scenarios are described:
The following terms are used throughout the use case:
Specifies how an administrator interacts with the Policy Server.
Specifies a functional area in which an administrator can execute tasks to manage Policy Server objects or tools.
Indicates whether administrator privileges extend to all policy objects or a subset of objects defined in an assigned workspace.
Determines whether an administrator can read, manage, propagate, or execute tasks related to a security category.
Defines the complete set of privileges for the administrator. Rights are based on the security category, scope, and permissions.
The superuser is the administrator that was delegated system privileges when the connection to the external administrator user store was configured. The superuser can assign all categories, rights, and scope to any other Administrator.
From the Administrative UI, the superuser creates an administrator named Manager Admin. Initially, Manager Admin has no privileges until the superuser assigns them.
The superuser assigns the following to Manager Admin:
GUI Allowed
|
Security Category |
Permissions* |
|---|---|
|
Agent Administration |
V, M |
|
Application Administration |
V, M, P |
|
Policy Administration |
V, M, P |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
Note: The Propagate permission allows one manager to assign the category to another administrator.
At this stage, if Manager Admin logs in to the Administrative UI, they can view and modify all agents, applications, and domains in the policy store. If they create an administrator account, they can assign only Application Administration and Policy Administration security categories to that account.
The superuser wants to limit the scope of Manager Admin so that they can only manage a subset of policy data. To do this, the superuser first creates a workspace named Workspace1 with the following members:
|
Type |
Name |
|---|---|
|
Agent |
Agent1 |
|
Application |
Application1 |
|
Application |
Application2 |
|
Domain |
DomainB |
The superuser then edits the Administrator record for Manager Admin to assign Workspace1.
At this stage, if Manager Admin logs in they can now only view and modify Agent1, Application1, Application2, and policies in DomainB. Other agents, applications and domains in the policy store do not appear in the Administrative UI.
The second part of this use case shows how an administrator with a specific set of privileges creates another administrator.
Manager Admin creates an administrator named Junior Admin. When Manager Admin goes to add security categories for Junior Admin, only the following two (for which Manager Admin has the propagate permission) are available:
Note: The propagate permission lets one administrator assign the category to another administrator.
Manager Admin proceeds to assign access methods and rights to Junior Admin as follows:
GUI Allowed
|
Security Category |
Permissions* |
|---|---|
|
Application Administration |
V |
|
Policy Administration |
V, M |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
At this stage, if Junior Admin logs in to the Administrative UI, they can view Application1 and Application2. They can view and modify DomainB (limited by default to the scope of Manager Admin).
Manager Admin wants to further limit the scope of Junior Admin so that they can only manage a smaller subset of policy data. To do this, Manager Admin first creates a workspace named Workspace2 with the following members:
|
Type |
Name |
|---|---|
|
Application |
Application2 |
|
Domain |
DomainB |
Manager Admin then edits the Administrator record for Junior Admin to assign Workspace2.
At this stage, if Manager Admin logs in they can now only view Application2, and view and modify policies in DomainB. Other applications and domains in the policy store do not appear in the Administrative UI.
|
Copyright © 2013 CA.
All rights reserved.
|
|