Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Delegating Administration Roles

Delegating Administration Roles

Subject

Delegating administration roles consists in copying to a user all or a part of your administration role.

IMPORTANT: In software protection mode, if you have authenticated with a "security module" card, you do not have to transfer your administration keys to your delegate's smart card.

NOTE: For more details on the administration role inheritance mechanisms, see Administration Role Inheritance.
Before starting

Check that you meet the following requirements:

  • The user to whom you want to delegate your administration profiles must be created in the directory.
  • You must have at least the following administration role:
    • In classic administration mode: "Authorize propagation of administration rights" and one of the following profiles: "Security object administrator" or "Access administrator" or "Rights administrator".
    • In advanced administration mode, your role must contain the following administration rights: "Administration profile: Delegation" and "Directory: Browsing".
  • In software protection mode, the user to whom you want to delegate administration profiles must have authenticated to the SSO Engine or to Authentication Manager at least once.
Restrictions
  • You cannot delegate Organizational Units that are outside your administration perimeter.
  • The delegation procedure does not allow to set additional super administrators: even if the primary administrator delegates the complete set of administration rights listed in the console, some rights relating to the general configuration of the product are not delegated. To add a super-administrator, see Adding/Removing Primary Administrators.

Procedure

  1. In the tree structure of the Directory panel, select the user to whom you want to delegate your administration role.
  2. In the Administration tab, click Delegate.
    • The tab is automatically filled in with your administration role attributes; the selected user has an administration role.

Classic administration mode

Advanced administration mode

  1. If you want to modify the delegated administration role, modify this tab as explained in the following Administration Tab Description section.
  1. Click Apply.
Administration Tab Description
  • Administered organization(s) area:

    Modify the administration perimeter, by adding or removing Organizational Units (OU) using the Add and Remove buttons.

    NOTE:

    • For a complete visibility, select the directory root.

    • You can add as many OU as required.

  • Administration restrictions for this administrator area:
    • Managed users restrictions button:

      This button allows you to restrict the number of users the administrator can manage.

      By default, the Managed users area is empty. It means the administrator can manage all the people registered in the administered organizations. To restrict the number of users to administer, define in this area the groups and organizational units of the administration perimeter containing the users to administer, by using the Add and Remove buttons.

  • Audit visibility restrictions button:

    if the selected user is an Auditor administrator or has the "Audit: Visualization" administration right (advanced administration mode), this button allows you to define the population the administrator has the right to audit.

    By default, the Audit populations area is empty. It means the administrator can audit all the objects of the directory.
    To restrict the number of users to audit use one of the following buttons:

    • Select button: this button displays the list of audit populations that has already been defined in User Access Console (for more information, see Defining an audit population).
      Select the audit populations to which you want to restrict the auditor right and click OK.
      The selected populations appear in the Audit Populations area.
    • Browse button: this button allows you to select the group, organization or directory to which you want to restrict the auditor right.
      Use the Browse tab to browse the directory tree structure or use the Search tab to find the group/organization/directory according to its name, and click OK.
      If the selected object is not already marked as an audit population, a dialog box allows you to directly mark it.
      The selected population appears in the Audit Populations area.
  • Administration role area:
    • In classic administration mode:
      Select the check boxes corresponding to the administration profiles you want to delegate to the user (for more details on existing administration profiles, see Section The Classic Administration Mode).
    • In advanced administration mode:
      Select the administration profiles you want to assign to the user by using the Add and Remove buttons.
      To create a new administration profile, see Section Creating/Editing an Administration Profile.
  • Change administration profile area
    • Delegate button:
    • Use this button to copy to a user all or a part of your administration role.
    • Transfer button:
    • Use this button to transfer an administration role to another user: for more details, see Section Transferring an Administration Role.
    • Delete button:
    • Use this button to delete an administration profile: for more details, see Section Deleting an Administration Role.
    • Set Parent Administrator button:

      By default, the parent administrator is the administrator who delegates his administration rights. If you want set another parent administrator, click Set Parent Administrator. For more details, see Section Modifying the Parent Administrator.

  • Audit area (advanced administration mode only):

    Assign an audit filter to the selected administrator, as explained in Section Applying an audit filter to specific objects.

Managing Administration Profiles

An administration profile is a set of administration rights. EAM Console used in advanced administration mode allows you to define yourself your own administration profiles by selecting a set of administration rights.

NOTE: This functionality is only available if you use EAM Console in advanced administration mode.

In this section:

Creating/Editing an Administration Profile

Subject

This section explains how to create or modify an administration profile.

Before starting
  • To add an administration right to the administration profile, you must either possess this right, or possess the "User administration profile: administration rights manager" right.
  • To perform the task described in this section, your role must contain the following administration rights: "Administration profile: Delegation", "Administration profile: Creation/Modification" and "Directory: Browsing".

Procedure

  1. In the tree structure of the Directory panel, select the user for which you want to create or modify an administration profile.
  2. In the Administration tab, in the Administration profiles area, click the Add button.
    • The administration profile selection window appears.
  3. Do one of the following operations, depending on the action you want to perform:
    • To create a new profile, click the Add button.
    • To modify an existing profile, select the wanted profile and click the Edit button.

    The Administration profile edition window appears.

  1. In the Administration profile name field, type a name for the administration profile you are creating or modifying.
  1. Set the scope (Managed organization) of the administration profile (optional) and use the Add and Remove buttons to select the administration rights you want to add in the profile, as explained in the following Window description section.
Window description

This section describes the administration profile edition window.

Interface Element

Description

Profile name

Name of the administration profile you are creating or modifying.

Additional organization (optional)

Scope of the administration profile: all the objects on which the administration profile applies.
This field allows you to define the organizations that must be assigned to the administrator at the same time as the administration profile.

The button allows you to browse the directory or to execute a search request to select the perimeter of the administration profile.

The Clear button removes from the field the selected organization.

Administration rights

List of all available EAM administration rights that you can add in the administration profile.

All rights are written in the following format:
<object or authorization name>: <right name>

Administration rights granted by this profile

List of administration rights that will be assigned to the administrator.

IMPORTANT: you cannot add to the profile an administration right that you do not already own.

Add button

Adds the selected administration right to the administration profile.

Delete button

Removes the selected administration right from the administration profile.

Deleting an Administration Profile

Subject

This section explains how to delete an administration profile. You can delete an administration profile even if you have not created it.

Before starting

To be able to perform the task described in this section, you must have the following administration right: "Administration profile: Deletion".

Procedure

  1. In the tree structure of the Directory panel, select the user for which you want to delete an administration profile.
  2. In the Administration profile tab, in the Administration role area, click the Add button.
    • The administration profiles selection window appears.
  1. Select the profile you want to delete and click Delete.
Related Documents