Delegating Administration Roles
Delegating Administration Roles
Delegating administration roles consists in copying to a user all or a part of your administration role.
|IMPORTANT: In software protection mode, if you have authenticated with a "security module" card, you do not have to transfer your administration keys to your delegate's smart card.|
Check that you meet the following requirements:
- The user to whom you want to delegate your administration profiles must be created in the directory.
- You must have at least the following administration role:
- In classic administration mode: "Authorize propagation of administration rights" and one of the following profiles: "Security object administrator" or "Access administrator" or "Rights administrator".
- In advanced administration mode, your role must contain the following administration rights: "Administration profile: Delegation" and "Directory: Browsing".
- In software protection mode, the user to whom you want to delegate administration profiles must have authenticated to the SSO Engine or to Authentication Manager at least once.
- You cannot delegate Organizational Units that are outside your administration perimeter.
- The delegation procedure does not allow to set additional super administrators: even if the primary administrator delegates the complete set of administration rights listed in the console, some rights relating to the general configuration of the product are not delegated. To add a super-administrator, see Adding/Removing Primary Administrators.
- In the tree structure of the Directory panel, select the user to whom you want to delegate your administration role.
- In the Administration tab, click Delegate.
- The tab is automatically filled in with your administration role attributes; the selected user has an administration role.
- If you want to modify the delegated administration role, modify this tab as explained in the following Administration Tab Description section.
- Click Apply.
Administration Tab Description
- Administration restrictions for this administrator area:
- Managed users restrictions button:
This button allows you to restrict the number of users the administrator can manage.
By default, the Managed users area is empty. It means the administrator can manage all the people registered in the administered organizations. To restrict the number of users to administer, define in this area the groups and organizational units of the administration perimeter containing the users to administer, by using the Add and Remove buttons.
- Audit visibility restrictions button:
if the selected user is an Auditor administrator or has the "Audit: Visualization" administration right (advanced administration mode), this button allows you to define the population the administrator has the right to audit.
By default, the Audit populations area is empty. It means the administrator can audit all the objects of the directory.
To restrict the number of users to audit use one of the following buttons:
- Select button: this button displays the list of audit populations that has already been defined in User Access Console (for more information, see Defining an audit population).
Select the audit populations to which you want to restrict the auditor right and click OK.
The selected populations appear in the Audit Populations area.
- Browse button: this button allows you to select the group, organization or directory to which you want to restrict the auditor right.
Use the Browse tab to browse the directory tree structure or use the Search tab to find the group/organization/directory according to its name, and click OK.
If the selected object is not already marked as an audit population, a dialog box allows you to directly mark it.
The selected population appears in the Audit Populations area.
- Administration role area:
- In classic administration mode:
Select the check boxes corresponding to the administration profiles you want to delegate to the user (for more details on existing administration profiles, see Section The Classic Administration Mode).
- In advanced administration mode:
Select the administration profiles you want to assign to the user by using the Add and Remove buttons.
To create a new administration profile, see Section Creating/Editing an Administration Profile.
Managing Administration Profiles
An administration profile is a set of administration rights. EAM Console used in advanced administration mode allows you to define yourself your own administration profiles by selecting a set of administration rights.
|NOTE: This functionality is only available if you use EAM Console in advanced administration mode.|
In this section:
Creating/Editing an Administration Profile
This section explains how to create or modify an administration profile.
- To add an administration right to the administration profile, you must either possess this right, or possess the "User administration profile: administration rights manager" right.
- To perform the task described in this section, your role must contain the following administration rights: "Administration profile: Delegation", "Administration profile: Creation/Modification" and "Directory: Browsing".
- In the tree structure of the Directory panel, select the user for which you want to create or modify an administration profile.
- In the Administration tab, in the Administration profiles area, click the Add button.
- The administration profile selection window appears.
- Do one of the following operations, depending on the action you want to perform:
- To create a new profile, click the Add button.
- To modify an existing profile, select the wanted profile and click the Edit button.
The Administration profile edition window appears.
- In the Administration profile name field, type a name for the administration profile you are creating or modifying.
- Set the scope (Managed organization) of the administration profile (optional) and use the Add and Remove buttons to select the administration rights you want to add in the profile, as explained in the following Window description section.
This section describes the administration profile edition window.
Name of the administration profile you are creating or modifying.
Additional organization (optional)
Scope of the administration profile: all the objects on which the administration profile applies.
This field allows you to define the organizations that must be assigned to the administrator at the same time as the administration profile.
The button allows you to browse the directory or to execute a search request to select the perimeter of the administration profile.
The Clear button removes from the field the selected organization.
List of all available EAM administration rights that you can add in the administration profile.
All rights are written in the following format:
<object or authorization name>: <right name>
Administration rights granted by this profile
List of administration rights that will be assigned to the administrator.
|IMPORTANT: you cannot add to the profile an administration right that you do not already own.|
Adds the selected administration right to the administration profile.
Removes the selected administration right from the administration profile.
Deleting an Administration Profile
This section explains how to delete an administration profile. You can delete an administration profile even if you have not created it.
To be able to perform the task described in this section, you must have the following administration right: "Administration profile: Deletion".
- In the tree structure of the Directory panel, select the user for which you want to delete an administration profile.
- In the Administration profile tab, in the Administration role area, click the Add button.
- The administration profiles selection window appears.
- Select the profile you want to delete and click Delete.