Policy Server GuidesPolicy Design GuidePolicy Server Administrators › Administrator Scope and Tasks

Previous Topic: Administrator Concepts

Next Topic: Configure an Administrator

Administrator Scope and Tasks

Administrators have a scope (system objects and policy domains or selected policy domains) and tasks that determine their privileges. These privileges allow administrators to use a set of Policy Server features.

The following table describes the privileges associated with each combination of administrator scope and task.

Administrator

 

Scope

Tasks

Administrative Privilege

System

Manage System & Domain Objects
  • Create/edit/delete Agents, Agent Configuration Objects, Agent groups, Agent types, Host Configuration Objects, user directories, policy domains, authentication schemes, directory mappings, certificate mappings, registration schemes, and SQL Query Schemes.
  • Note: You cannot create or edit Trusted Host objects with this privilege, only delete them. To register Trusted Hosts, you must have Register Trusted Host privilege.
  • Create/delete parent realms in all domains.
  • Create/edit/delete administrators.
  • Flush all caches, including cached resources.
  • Change global settings.
  • All privileges for Manage Domain Objects listed below.

Domains

Manage Domain Objects
  • In managed domains: create/edit/delete rules, rule groups, responses, response groups, policies.
  • Edit top-level realms in managed domains (not resource filters).
  • Create/edit/delete nested realms in managed domains.
  • Flush specific realms from the resource cache, and flush all resources (in privileged domains) from the cache.

System

Manage Keys and Password Policies
  • Create/edit/delete password policies.
  • Manage keys.

Domains

Manage Password Policies
  • Create/edit/delete password policies for users in directories attached to managed domains.

System

Manage Users
  • Flush all user session caches, or flush the user session cache of any individual user cache from any directory.
  • Enable/disable users in any directory.
  • Force password change on any user in any directory.

Domains

Manage Users
  • Flush user session caches for individual users in directories attached to managed domains.
  • Enable/disable users in directories attached to managed domains.
  • Force password change on users in directories attached to managed domains.

System

Register Trusted Hosts
  • Register Trusted Hosts