As an Access Manager administrator, you can create delegated administrators to manage the following Access Manager components:
Individual Access Gateways or an Access Gateway cluster
Identity Server clusters
Policy containers
IMPORTANT:Delegated administrators are granted sufficient rights to compromise the security of the system. Hence, they must be trustworthy. For example, delegated administrators with view/modify rights to policy containers can implement a cross-site scripting attack by using the Deny Message in an Access Gateway authorization policy.
Delegated administrators are also granted rights to the LDAP server. They can access the configuration datastore with an LDAP browser. Access Manager does not log any modifications made with the LDAP browser.
By default, all users except the administrator are assigned no rights to the policy containers and the devices. The administrator has all rights and cannot be configured to have less than all rights. The administrator is the only user who has the rights to delegate rights to other users, and the only user who can modify keystores, create certificates, and import certificates.
Configuration pages for delegated administrators control access to the Access Manager pages. They do not control access to the tasks available for the Manage Roles & Tasks view. If you want your delegated administrators to have rights to any of these tasks such as Directory Administration or Groups, you must use eDirectory methods to grant the user rights to these tasks or enable and configure Role-Based Services in iManager.
To create a delegated administrator, perform the following steps:
In Administration Console Dashboard, click <user name> at the top right of the page > Manage Roles & Tasks.
(Optional) If you want to create a container for your delegated administrators, click Directory Administration > Create Object, then create a container for the administrators.
To create the users, click Users > Create User and create user accounts for your delegated administrators. You can create the users based on the delegatedusers or policyviewusers context. For more information, see Creating Users.
In Administration Console Dashboard, click <user name> > Administrators.
Select the component you want to assign a user to manage.
For information about the types of rights you can assign for each component, see the following:
To assign all delegated administrators the same rights to a component, configure the All Users option. Available options include None, View Only, or View/Modify.
By default, All Users is configured for None. All Users is a quick way to assign View Only rights to a component when you want your delegated administrators to have only the view rights.
To select one or more users to assign rights, click Add, then specify the following details:
Name filter: Specify a string that you want the user’s cn attribute to match. The default value is an asterisk, which matches all cn values.
Search from context: Specify the context you want used for the search. Click the down-arrow to select from a list of available contexts.
Include subcontainers: Specifies whether subcontainers must be searched for users.
Click Query.
In User, select users to whom you want to grant the same rights.
In Access, select one of the following values:
View/Modify: Grants full configuration rights to the device. View/Modify rights do not grant the rights to manage keystores, to create certificates, or to import certificates from other servers or certificate authorities. View/Modify rights allow the delegated administrator to perform actions such as stop, start, and update the device.
If the assignment is to a policy container, this option grants the rights to create policies of any type and to modify any existing policies in the container
View Only: Grants the rights to view all the configuration options of the device or all rules and conditions of the policies in a container.
None: Prevents the user from seeing the device or the policy container.
In Device or Policy Containers, select the devices, clusters, or policy containers that you want to assign for delegated administration.
Click Apply.
The rights are immediately assigned to the selected users. This assignment overwrites any previous assignments.
After assigning rights to a user, check the user’s effective rights.
A user’s effective rights and assigned rights do not always match. For example, if Kim is granted View Only rights, but All Users have been granted View/Modify rights, Kim’s effective rights are View/Modify.