The Delegation plug-in works together with the Identity Repository plug-in to determine a network administrator’s scope of privileges. Default administrator roles are defined in the Identity Repository plug-in. The Delegation plug-in forms rules that describe the scope of privileges for each network administrator, and also specifies the roles to which the rules apply. The following is a list of roles defined in the Identity Repository, and the default rule the Delegation plug-in applies to each role.
Table 1–5 Access Manager Roles and Scope of Privileges
Identity Repository Role |
Delegation Rule |
---|---|
Can access all data in all realms of the Access Control information tree. |
|
Can access all data within a specific realm of the Access Control information tree. |
|
Can access all policies in all realms of the Access Control information tree. |
|
Can access policies only within the specific realm of the Access Control information tree. |
Authentication service and Policy service use the aggregated data to perform authentication and authorization processes. The Delegation plug-in code is not public in Access Manager.