Previous Topic: Administrator Use CaseNext Topic: Manager Admin Creates Junior Admin

Policy Server GuidesPolicy Server Configuration GuideAdministrative User Interface ManagementSiteMinder AdministratorsHow to Create an AdministratorAdministrator Use CaseSuper User Creates Manager Admin

Super User Creates Manager Admin

The super user is the administrator that was delegated system privileges when the connection to the external administrator user store was configured. The super user can assign all categories, rights, and scope to any other Administrator.

From the Administrative UI, the super user creates an administrator named Manager Admin. Initially, Manager Admin has no privileges until the super user assigns them.

The super user assigns the following to Manager Admin:

Access Method

GUI Allowed

Rights

Security Category

Scope

Permissions*

Admin Administration

All

V, M

Agent Administration

All

V, M

Application Administration

All

V, M, P

Policy Administration

Domain 1

V, M, P

* Permissions: View, Manage, Propagate, eXecute (only for executing reports)

Important! The Propagate permission allows one manager to assign the category to another administrator.

At this stage, the super user can change the permissions of the existing security categories.

Additional Privileges for Manager Admin

The super user wants to assign an additional permission to Manager Admin. Based on the categories already assigned to Manager Admin, the Security Category list from which the super user can select is slightly modified. All categories are displayed except the Agent and Admin Administration categories because they are already assigned to Manager Admin. Additionally, they cannot be assigned a scope so there is nothing that can be modified. The Admin Administration category is not displayed because the scope assigned is ALL so there is nothing to modify.

The only category still available from the original set of categories is Policy Administration. This category is available because it can be assigned a scope, which means that privileges can be applied to specific domains or applications. When the super user selects the Policy Administration category, the scope dialog displays a list that includes ALL as a selection and a complete list of domains, with the exception of Domain1. Manager Admin is already assigned Domain1.

Note: The Application Administration is a scoped category like Policy Administration. However, because ALL is defined as the scope for this category, there is no need to redisplay this category as a choice.

The super user selects Domain2, extending the permissions for Manager Admin across a second domain.

The permissions for Manager Admin are as follows:

Security Category

Scope

Permissions*

Admin Administration

All

V, M

Agent Administration

All

V, M

Application Administration

All

V, M, P

Policy Administration

Domain1

V, M, P

Policy Administration

Domain2

V, M, P

* Permissions: View, Manage, Propagate, eXecute (only for executing reports)