Policy Server Guides › Policy Server Configuration Guide › SiteMinder Administrators › How to Create a Scoped Administrator

How to Create a Scoped Administrator

CA SiteMinder® Administrator accounts can be configured with fine-grained privileges that determine the administrative capabilities available to that administrator.

CA SiteMinder® Administrator accounts are assigned rights to one or more security categories that define their administrative authority in the Administrative UI, such as managing authentication schemes. By default an Administrator account has access to every CA SiteMinder® object related to an assigned security category.

Workspaces define a subset of CA SiteMinder® objects. Assign a workspace to one or more Administrator accounts to filter the objects that are available to them, further controlling the scope of their administrative authority. An Administrator account whose authority is restricted by an assigned workspace is known as a scoped administrator.

1. Review the scoped administrator considerations
2. Create a workspace defining a subset of SiteMinder objects
3. Create and scope an Administrator account
4. Verify the scope of the new Administrator account

Scoped Administrator Considerations

Before you configure a scoped administrator, review the following considerations:

• This process only applies for Administrator accounts (Legacy Administrators cannot be scoped using workspaces). However, Administrator accounts associated with Legacy Administrator records in the policy store can be scoped using workspaces.
• The scope of the Administrator. That is, whether the Administrator can manage all policy data or a subset of policy data defined in a workspace.
• The rights the Administrator requires to perform their job. Identifying these rights can help you delegate the appropriate security category to the administrator.
• Whether the Administrator is responsible for application security policies.

Important! An Administrator can only create another Administrator with the same or lesser privileges. For example, if an Administrator has GUI and reports privileges, the Administrator can create another Administrator with GUI and reports privileges, but not with local API privileges. Similarly, an Administrator can only create another Administrator with the same or lesser scope (as defined by an assigned workspace).

Create a Workspace

You create a workspace to define a subset of CA SiteMinder® objects for which a scoped administrator has administrative privileges.

Follow these steps:

1. Log in to the Administrative UI using the CA SiteMinder® superuser or other administrator account with appropriate privileges.
2. Click Administration, Administrator, Workspaces, Create Workspaces.

   The Create Workspace page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Type the name and a description of the workspace in the fields in the General section.
4. Add objects that define the required subset of policy data to the workspace in the Members section:

   Note: Some commonly used objects are added to the workspace and appear in the Members list by default; you can remove them if necessary.

   1. Click Lookup.

      The Select Workspace Contents page appears.

   2. Select the type of objects that you want to add to the workspace from the Search for objects of type drop-down menu. Optionally, narrow the search to specific objects by Name or Description (or both).
   3. Click Search.

      A list of matching objects appears.

      Note: If the administrator account with which you are logged in is itself scoped, the list of matching objects is limited to those objects available to you.

   4. Select the object or objects you want to add to your workspace and click Select.

      The Create Workspace page reopens.

5. (Optional) Set administrator privileges for workspace members to read-only by setting the corresponding Read-Only check boxes.
6. Click Submit.

   The Create Workspace task is submitted for processing. CA SiteMinder® verifies that the workspace is consistent (all required objects that are related to objects in the workspace are present in the workspace). If not, the missing objects are added and an information dialog appears indicating that some objects were automatically added to make the workspace consistent.

More information:

Limit Administrator Account Scope Using Workspaces Overview

Create an Administrator and Assign a Workspace

Create a scoped Administrator by creating an Administrator account and assigning a workspace that defines the scope of the objects that it can administer.

Follow these steps:

1. Log in to the Administrative UI using the CA SiteMinder® superuser or other administrator account with appropriate privileges.
2. Click Administration, Administrator.
3. Click Administrators.

   The Administrators page appears.

4. Click Create Administrator.

   The Create Administrator page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

5. Click Lookup under General.

   The Select a User page appears.

6. Specify search criteria and click Search.

   Users matching the specified criteria appear.

7. Select the administrator you want and click Select.

   The full name of the user appears in the Name field. The URL to the user in the external store appears in the User Path field.

8. Select a workspace that defines the subset of objects to which the Administrator is scoped from the Workspace drop-down list.
9. Do one of the following:
   • To delegate all rights, select Super User and click Submit.
   • To delegate fine-grained privileges, go to the next step.
10. Specify how the administrator is permitted to interact with the Policy Server in the Access Methods section. Select as many methods as required for the administrator to perform tasks.

    Example: If an administrator is going to use the XPSImport and XPSExport tools, select Import Allowed and Export Allowed.

11. Click Add in the Rights section.

    The Create Permission: Select security categories page appears.

12. Select the security categories you want the administrator to manage and click OK.

    Note: Security categories comprise one or more tasks that correspond to specific CA SiteMinder® objects. For more information, see the Administrative UI online help system.

    The Create Administrator page reappears.

13. Select the permissions (Read, Right, Modify, and Propagate) to apply to the security categories you added in the Rights section.
14. Click Submit.

The scoped Administrator is created.

More information:

Limit Administrator Account Scope Using Workspaces Overview

Administrator Accounts

Verify that the Administrator is Scoped

After assigning a workspace to an Administrator account, verify that it only has access to the scoped subset of objects.

Follow these steps:

1. Log in to the Administrative UI using the scoped Administrator account.
2. Explore the Administrative UI to verify that only the scoped subset of objects in the workspace are visible.

You have completed the required tasks to create a scoped Administrator account.