Delegating Administrator Privileges
OpenSSO Enterprise administrators are delegated responsibilities
based on privileges assigned to groups. A privilege is
an action that can be performed on a resource; for example, a READ
operation on a log. Privileges can be dynamically assigned to users
deemed administrators by creating a group, assigning to it the appropriate
privilege, and adding the appropriate user as a member of the group.
Note –
For more information on groups, see Chapter 5, Creating Subjects.
Once a group is created, it appears under the realm's Privileges
tab. To add privileges, click the group name and assign the appropriate
operation. Members belonging to the group would then be able to perform
the assigned operation(s). The following privileges can be delegated.
-
Read and write access to all configured
agents delegates read and write permissions for all configured
agent profiles to an agent administrator.
-
Read and write access to all log files delegates
read and write permissions for all log records to a log administrator.
Caution – OpenSSO Enterprise logging interfaces are public so it is possible that any authenticated user can read and write OpenSSO Enterprise log
records. The log administrator privileges prevent this abuse. Policy
agents, the main users of the logging interfaces, only require permission
to write log records, and should not be delegated the permission to
read them. Similarly, administrators who read log records should not
be delegated the permission to write to them.
-
Read access to all log files delegates
read permission for all log records to a log administrator.
-
Write access to all log files delegates
write permission for all log records to a log administrator.
-
Read and write access only for policy properties delegates read and write permissions for all policies
and policy configurations to a policy administrator. Policy administrators
can create, modify and delete policies which consists of Rules, Subjects,
Conditions and Response Attributes.
Caution – In order to manage the policies themselves (not policy
configurations), a policy administrator needs permission to read the
identity data store(s) and should be delegated the Read
and write access to all realm and policy properties permission.
-
Read and write access to all realm and policy
properties delegates read and write permissions for all
realm configurations data to a realm administrator. Realm administrators
can create sub-realms, modify configurations for the realm's services
and create, modify and delete Users, Groups, and Agents.
Note –
If you have upgraded Access
Manager from version 7.0 to OpenSSO Enterprise, the privilege configuration
differs from that of a fresh installation. To assign or modify privileges,
click the name of the role or group you wish to edit and select from
the following:
-
Read only access to data stores defines
read access privileges to data stores. This privilege definition is
for use only with Read and write access only for policy
properties to control delegation for policy administrators.
-
Read and write access to all log files defines
both read and write permission to log records for log administrators.
-
Write access to all log files defines
write permission to log records for log administrators.
-
Read access to all log files defines
only read permission to log records for log administrators.
-
Read and write access only for policy properties defines read and write permission regarding policies and
policy configurations for policy administrators.
-
Read and write access to all realm and policy
properties defines read and write permissions to all realm
configurations data for realm administrators.
-
Read only access to all properties and services defines read permission to all properties and services.
This privilege definition is for use only with Read and
write access only for policy properties to control delegation
for policy administrators.
Download this book in PDF (2148 KB)