Super User Creates Manager Admin
The super user is the administrator that was delegated system privileges when the connection to the external administrator user store was configured. The super user can assign all categories, rights, and scope to any other Administrator.
From the Administrative UI, the super user creates an administrator named Manager Admin. Initially, Manager Admin has no privileges until the super user assigns them.
The super user assigns the following to Manager Admin:
GUI Allowed
Security Category |
Scope |
Permissions* |
---|---|---|
Admin Administration |
All |
V, M |
Agent Administration |
All |
V, M |
Application Administration |
All |
V, M, P |
Policy Administration |
Domain 1 |
V, M, P |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
Important! The Propagate permission allows one manager to assign the category to another administrator.
At this stage, the super user can change the permissions of the existing security categories.
Additional Privileges for Manager Admin
The super user wants to assign an additional permission to Manager Admin. Based on the categories already assigned to Manager Admin, the Security Category list from which the super user can select is slightly modified. All categories are displayed except the Agent and Admin Administration categories because they are already assigned to Manager Admin. Additionally, they cannot be assigned a scope so there is nothing that can be modified. The Admin Administration category is not displayed because the scope assigned is ALL so there is nothing to modify.
The only category still available from the original set of categories is Policy Administration. This category is available because it can be assigned a scope, which means that privileges can be applied to specific domains or applications. When the super user selects the Policy Administration category, the scope dialog displays a list that includes ALL as a selection and a complete list of domains, with the exception of Domain1. Manager Admin is already assigned Domain1.
Note: The Application Administration is a scoped category like Policy Administration. However, because ALL is defined as the scope for this category, there is no need to redisplay this category as a choice.
The super user selects Domain2, extending the permissions for Manager Admin across a second domain.
The permissions for Manager Admin are as follows:
Security Category |
Scope |
Permissions* |
---|---|---|
Admin Administration |
All |
V, M |
Agent Administration |
All |
V, M |
Application Administration |
All |
V, M, P |
Policy Administration |
Domain1 |
V, M, P |
Policy Administration |
Domain2 |
V, M, P |
* Permissions: View, Manage, Propagate, eXecute (only for executing reports)
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |