Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › How to Create a Legacy Administrator

How to Create a Legacy Administrator

Complete the following steps to create a Legacy Administrator:

1. Review the Legacy Administrator considerations.
2. Create the Legacy Administrator record.
3. Delegate Administrative UI permissions.

Legacy Administrator Considerations

This process applies if one or more of the following criteria are met:

• A Legacy Administrator is required to manage CA SiteMinder® objects using the Policy Management API
• A Legacy Administrator is required is to function as a Trusted Host administrator

Note: Legacy Administrators can also be used to access the Administrative UI if the policy store is configured as the source of administrator identities (the default). Once an external administrator store is configured, Legacy Administrator accounts can no longer be used to access the Administrative UI.

Create the Legacy Administrator Record

Create a Legacy Administrator record to store the Legacy Administrator identity in the policy store.

Follow these steps:

1. Click Administration, Administrator.
2. Click Legacy Administrators.

   The Legacy Administrators screen appears.

3. Click Create Legacy Administrator.

   The Create Legacy Administrator screen appears.

4. Click OK.

   The Create Legacy Administrator screen appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Do the following in the General section:
   1. Type a unique ID in the Name field.

      Consider entering a unique ID that adheres to your corporate standards. Adhering to your corporate standards does the following:

      • Prevents the administrator from having to remember a new set of credentials.
      • Facilitates a transition to an external administrator store because the Legacy Administrator ID matches the unique ID in the external store.
   2. Type the full name of the user in the Description field.

      The value appears as the display name when a user logs in to the Administrative UI. The display name identifies who is logged in.

      Example: If you enter Joe Smith, the Administrative UI display name appears as the following:

      Logged in as Joe Smith.

6. Leave the CA SiteMinder® Database option button selected.
7. Enter the administrator password in the respective fields.
8. Do one of the following:
   • Click Submit if you are creating a Legacy Administrator to do only the following:
     • Use the Administrative UI
     • Use Policy Server tools

     The administrator record is created.

   • Go to the next step if you are creating a Legacy Administrator to do any of the previous tasks and any one of the following:
     • Manage the Policy Management API
     • Function as a Trusted Host administrator
9. Select the System or Domain option from the Administrator Privileges section.

   Note: You delegate privileges to the Administrative UI after creating the Legacy Administrator.

   System

   An administrator has access to all policy domains in the Policy Management API. If you select System, a Task section appears.

   Domain

   An administrator has access to a specific subset of policy domains in the Policy Management API. If you select Domain, the Tasks and Scope section appears. The Tasks section lists the administrative tasks that can be performed. The Scope section lists the available domains that can be managed.

   Note: The Scope section on the Create Legacy Administrator screen is not related to Administrator account scoping using workspaces.

10. Select the tasks the administrator can perform.
    • For a system administrator, select one or more of the following tasks:
      • Manage System and Domain Objects
      • Manage Users
      • Manage Keys and Password Policies
      • Register Trusted Hosts
    • For a domain administrator, do the following:
      1. Select one or more of the following tasks:

         – Manage Domain Objects

         – Manage Users

         – Manage Password Policies

      2. Select the domains that the administrator must manage in the Scope section.
11. Click Submit.

    You have created a Legacy Administrator.

    Note: An Administrator account, associated with the Legacy Administrator record in the policy store, is also created to provide Administrative UI access.

Delegate Administrative UI Permissions

When a Legacy Administrator is created, an Administrator account associated with the same record in the policy store is also generated. This Administrator account is configured with Administrative UI access privileges that correspond to the settings specified for the Legacy Administrator.

Changes to the Legacy Administrator settings that affect access privileges are automatically propagated to the associated Administrator account.

You can also directly modify the associated Administrator settings to take advantage of the fine-grained Administrative UI access privileges available to Administrator accounts.

Note: Changes to the associated Administrator account settings are not propagated back to the Legacy Administrator. Additionally, once changes are made to the associated Administrator, changes to the Legacy Administrator are no longer propagated to the Administrator account.

More information:

Limit Administrator Account Scope Using Workspaces Overview

How to Create a Scoped Administrator

How to Create an Administrator