11 Delegating With Administrator Roles

System administrative rights and policy management permissions can be delegated from one administrator to another by creating Administrator Roles with restricted rights, or by granting an existing Administrator Role to a user or existing External Role. This chapter documents information on how to delegate policy and system administrative tasks. It contains the following sections:

11.1 About Delegated Administrators

Administration is when one or more authorized rights are granted to someone to do a certain job. Delegation is the ability for that someone to transfer the authorized right that has been granted them to another. In combination, we can define delegating administration as the transference of authorized rights from one to another. In Oracle Entitlements Server, administrators who are authorized to perform a task on policy objects and entities may transfer this right to others using Administration Roles. Administration Roles consist of a subject (the person to whom the role is granted), the resources (the objects to which the role pertains) and actions (view, manage/modify).

Note:

See Section 1.5.1, "Role-based Access Control (RBAC)" for more details on roles.

Oracle Entitlements Server allows you to define delegating Administrator Roles by assigning Administration Privileges, and mapping external roles and users, to it. When a user is logged in as an Administrator, the Navigation Panel displays only the set of Applications the logged in user is authorized to administer. In point of fact, all objects that a delegating Administrator cannot administer are hidden. Any nondefault delegating Administrator Role can perform management operations if it is granted the Admin Role with VIEW and MANAGE privileges.

Note:

A nondefault Administrator Role is any Administrator Role created manually. This would not include Administrator Roles automatically created when you create an Application or a Policy Domain.

The following restrictions also apply to Administrator Roles.

  • Non-system level (delegating) Administration Roles can only manage other Administration Roles within its scope. For example, an Administration Role created for Application1 can manage Administration Roles in Application 1 Policy Domains but cannot manage peer Administration Roles in Application1, or any roles in Application2 and its Policy Domains. Scope and granularity are discussed further in Chapter 11, "Delegating Using Scope and Granularity."

  • System level Administration Roles (as discussed in Chapter 10, "Managing System Configurations") can manage delegating Administration Roles in any Application or Policy Domain.

  • Nondefault Administration Roles (again, created manually) cannot manage default Administration Roles in any Application or Policy Domain.

11.2 Delegating Using Scope and Granularity

Delegated administration is all about transferring management of resources and policy objects from one person to another. The scope of the delegation (or range of objects covered by the delegation) is defined in levels. The granularity of administration defines the type of objects managed at each scope. A default Administration Role is automatically created when each scope is created; additional Administration Roles can be created later.

Note:

The following is applicable to all default Administration Roles.

  • Default Administrator Roles cannot be deleted individually.

  • If a Policy Domain is deleted, all Administration Roles (including the default) are deleted.

  • If the Application is deleted, all Administration Roles are deleted.

  • Privileges assigned to default Administrator Roles cannot be modified.

From highest to lowest, the scopes and applicable granularity are as follows:

  • The top-level SystemAdmin has privileges to manage system-level resources as well as all policy-related objects. System resources include Administrator Roles, system configurations and Security Module bindings. Policy objects include the Application objects.

    Note:

    System Administrators have rights to all policy objects, including all Application objects and child Policy Domains but they are primarily intended to manage configurations, Application objects, and the bindings between the two.

    Information on managing system level Administrator Roles is in Chapter 10, "Managing System Configurations."

  • Application administrators have privileges to manage all objects in the Application to which they are assigned. One ApplicationPolicyAdmin is generated for each Application that is created. They are primarily intended to delegate the management of policy objects within the Application (including the Policy Domains and its children, such as Functions, Attributes, Application Roles and Resource Types). For more information, see Section 11.3, "Delegating Application Administration."

  • Policy Domain administrators have privileges to manage all child objects in the Policy Domain to which they are assigned. One PolicyDomainAdmin is generated for each Policy Domain that is created. They are primarily created to delegate the management of policies, permissions and resources within a Policy Domain. For an overview of this concept, see Section 11.4, "Using Policy Domains to Delegate." For additional information, see Section 11.5, "Delegating Policy Domain Administration."

11.3 Delegating Application Administration

The following sections explain how to manage administrators for an Application.

11.3.1 Adding a Delegated Administrator for An Application

This procedure documents how to create a new Administrator Role and assign it to the applicable roles or users. To add a delegated administrator to an Application, proceed as follows.

  1. Expand the Applications node in the Navigation Panel.

  2. Select the Application to modify.

  3. Right-click the Application name and select Open from the menu.

    The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.

  4. Click the Delegated Administrators tab.

    The Application name is listed in the displayed table. Click the arrow next to the Application name to see the default ApplicationPolicyAdmin created when the Application object was created. Click the Administrator Role name to display its details, in tabs, below the Delegated Administrators table.

    • Role Details

    • External Role Mapping

    • External User Mapping

  5. Click New to create a new Administrator Role.

    Be sure to select the name of the Application to activate New. Alternately, select the Application and select New from the Actions menu. A New Administrator Role dialog is displayed.

  6. Provide the following values for the new Administrator Role and click OK.

    • Name: The entry must be a unique.

    • Display Name

    • Description

  7. Select the new Administrator Role to activate its configuration tabs.

    The Role Details tab is active.

  8. Click Edit to define the role details.

    An Edit Administrator Role dialog is displayed.

  9. Grant View or Manage privileges for the appropriate policy objects and click Save.

    Figure 11-1 is the Edit Admin Role privileges pop up screen. Select View or Manage for the listed policy objects. For example, Admin Policy allows the administrator to assign new permissions to an Admin Role. Admin Role, however, allows the administrator to assign members to an Admin Role. See Section 2.3, "The Policy Object Glossary" for details on the other listed objects.

    Figure 11-1 Edit Admin Role Pop Up Screen

    Description of Figure 11-1 follows
    Description of "Figure 11-1 Edit Admin Role Pop Up Screen"

  10. Click the External Role Mapping tab to grant the Administrator Role to members of External Roles.

  11. Click Add to display the Search Principals dialog.

  12. Complete the query fields in the External Roles search box and click Search.

    Empty strings fetch all roles. The results display in the Search Results table.

  13. Select the external role to map to by clicking its name in the table.

    Use Ctrl+click to select multiple roles.

  14. Click Add Principals.

    The selected roles display in the External Role Mapping tab.

  15. Click the External User Mapping tab to grant the Administrator Role to External Users.

  16. Click Add to display the Search Principals dialog.

  17. Complete the query fields in the Users search box and click Search.

    Empty strings fetch all roles. The results display in the Search Results table.

  18. Select the user to map by selecting its name in the table.

    Use Ctrl+click to select multiple roles.

  19. Click Add Principals.

    The selected roles display in the External User Mapping tab.

11.3.2 Modifying or Deleting an Application's Delegated Administrator

To modify or delete an Application's configured Administrator Role, proceed as follows.

  1. Expand the Applications node in the Navigation Panel.

  2. Select the Application to modify.

  3. Right-click the Application name and select Open from the menu.

    The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.

  4. Click the Delegated Administrators tab.

  5. Navigate to the Administrator Role you want to modify and select it.

    The Role Details, External Role Mapping and External User Mapping tabs are displayed.

  6. Select the tab which contains the configuration to modify or delete.

    • To modify the configuration, see Section 11.3.1, "Adding a Delegated Administrator for An Application" for details.

    • To remove a mapping from an Administrator Role, select the applicable Administrator Role and the appropriate Mapping tab. Select the mapping and click Remove.

    • To delete an Administrator Role, select the Administrator Role and click Delete.

11.4 Using Policy Domains to Delegate

Administration of the policies securing one protected application may be delegated using one or more (optional) Policy Domains. A Policy Domain contains the components of completed policy definitions. It is the amalgamation of a target Resource (an instance of the Resource Type), an Entitlement (the actions that can be performed on the Resource), and a Policy (a rule that assembles the controls and the principals they affect).

The use of multiple Policy Domains allows policies to be partitioned according to some defined logic, such as the architecture of the protected application or how administration of the policies are delegated. For example, one Policy Domain can be used to maintain all policies securing a Resource or multiple Policy Domains can be used to reflect a particular characteristic of the Resource. Different administrators can then be placed in charge of different Policy Domains.

Note:

Because the creation of a Policy Domain is optional, if there is no need to delegate policy administration, there is no need to create any Policy Domains. In this case, a default Policy Domain is created with each Application that will contain all the Application's policy objects.

The following sections contain the management procedures for Policy Domains.

11.4.1 Creating a Policy Domain

To create a Policy Domain, proceed as follows.

  1. Right-click the name of the Application in the Navigation Panel under which the Policy Domain will be created and select New from the menu.

    An Untitled page displays in the Home area.

  2. Provide the following information for the Policy Domain.

    • Display Name

    • Name

    • Description: Although optional, it is recommended to provide useful information about the entitlement.

  3. Select one of the following from the Save menu.

    • Save and Close saves the configuration and renames the tab with the value provided for the Policy Domain's Display Name.

    • Save and Create Another saves the configuration to the information tree in the Navigation Panel but leaves the Untitled area open for you to create another Application.

11.4.2 Modifying a Policy Domain

To modify a Policy Domain, proceed as follows.

  1. Navigate to the Application under which the Policy Domain you want to delete was created and expand the information tree.

  2. Double click the name of the Policy Domain you want to modify.

    The Policy Domain configuration displays in the Home area.

  3. Modify as necessary and click Apply.

11.4.3 Deleting a Policy Domain

To delete a Policy Domain, proceed as follows.

  1. Navigate to the Application under which the Policy Domain you want to delete was created and expand the information tree.

  2. Double click the name of the Policy Domain you want to delete.

    The Policy Domain configuration displays in the Home area.

  3. Click Delete.

    A confirmation dialog is displayed.

  4. Click OK to delete.

11.5 Delegating Policy Domain Administration

The following sections describe how to manage administrators for Policy Domains.

11.5.1 Adding a Delegated Administrator to a Policy Domain

This procedure documents how to create a new Administrator Role and assign it to the applicable roles or users. To add a delegated administrator to a Policy Domain, proceed as follows.

  1. Expand the Applications node in the Navigation Panel.

  2. Select the Application to modify.

  3. Right-click the Application name and select Open from the menu.

    The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.

  4. Click the Delegated Administrators tab.

    The Policy Domain names are listed in the displayed table. Clicking the arrow next to the Policy Domain expands the hierarchy and displays any Administrator Roles already configured; for example, the default PolicyDomainAdmin.

  5. Select the Policy Domain under which you will create the Administrator Role.

  6. Click New to create a new Administrator Role.

    Be sure to select the name of the Policy Domain to activate New. Alternately, select the Policy Domain and select New from the Actions menu. A New Administrator Role dialog is displayed.

  7. Provide the following values for the new Administrator Role and click OK.

    • Name: The entry must be a unique.

    • Display Name

    • Description

  8. Select the new Administrator Role to activate its configuration tabs.

    The Role Details tab is active.

  9. Click Edit to define the role details.

    An Edit Administrator Role dialog is displayed.

  10. Grant View or Manage privileges for the appropriate Policy Domain objects and click Save.

  11. Click the External Role Mapping tab.

    1. Click Add to display the Search Principals dialog.

    2. Complete the query fields in the External Roles search box and click Search.

      Empty strings fetch all roles. The results display in the Search Results table.

    3. Select the external role to map to by clicking its name in the table.

      Use Ctrl+click to select multiple roles.

    4. Click Add Principals.

      The selected roles display in the External Role Mapping tab.

  12. Click the External User Mapping tab.

    1. Click Add to display the Search Principals dialog.

    2. Complete the query fields in the Users search box and click Search.

      Empty strings fetch all roles. The results display in the Search Results table.

    3. Select the user to map by selecting its name in the table.

      Use Ctrl+click to select multiple roles.

    4. Click Add Principals.

      The selected roles display in the External User Mapping tab.

11.5.2 Modifying or Deleting a Policy Domain's Delegated Administrator

To modify or delete a Policy Domain's configured Administrator Role, proceed as follows.

  1. Expand the Applications node in the Navigation Panel.

  2. Select the Application to modify.

  3. Right-click the Application name and select Open from the menu.

    The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.

  4. Click the Delegated Administrators tab.

  5. Navigate to the Administrator Role you want to modify and select it.

    The Role Details, External Role Mapping and External User Mapping tabs are displayed.

  6. Select the tab which contains the configuration to modify or delete.

    • To modify the configuration, see Section 11.5.1, "Adding a Delegated Administrator to a Policy Domain" for details.

    • To remove a mapping from an Administrator Role, select the applicable Administrator Role and the appropriate Mapping tab. Select the mapping and click Remove.

    • To delete an Administrator Role, select the Administrator Role and click Delete.

11.6 Managing System Administrators Using Administrator Roles

You can delegate system administration privileges to users by creating and configuring System Administrator Roles. By default, SystemAdmin is created during installation and is displayed in the System Administrators table when you navigate to System Administrators under the main System Configuration tab. SystemAdmin manages system-level resources (including other Administrator Roles, and system configurations and bindings) and maps to the WebLogic Server weblogic user.

The following sections document the management operations for all Oracle Entitlements Server System Administrator Roles.

11.6.1 Creating a New Administrator Role

To create a new Administrator Role, proceed as follows.

  1. Select the System Configuration tab from the Home area.

    The System Administrators tab is displayed in the Home area.

  2. Click New under Administrator Roles to create a new Administrator Role.

    A dialog is displayed.

  3. Provide the following values for the new Administrator Role.

    • Name: The entry must be a unique.

    • Display Name

    • Description

  4. Click Create.

11.6.2 Assigning Privileges to an Administrator Role

To assign privileges to an Administrator Role, map external roles, external users or both to the role as documented in this procedure.

  1. Select the System Configuration tab from the Home area.

    The System Administrators tab and configured Administrator Roles are displayed in the Home area. Alternately, right-click Administrators and select Open.

  2. Select the name of the Administrator Role from the table.

  3. Select the Modify or View option to define the Administrator Control.

    Modify defines the administrator as having management (and by proxy viewing) privileges on all system administrator resources. View defines the administrator as having only viewing privileges.

  4. Click the External Role Mapping tab.

    1. Click Add or select Add from the Actions menu.

      The Add Roles search dialog is displayed.

    2. Enter a search string in the text box and click the arrow to search for External Roles.

      Alternately, click Search with no search string to return all available External Roles.

    3. Select one or more roles from the results and click Add Selected.

      Alternately, click Add All to add all returned results.

    4. Click Add Principals.

  5. Click the External User Mapping tab.

    1. Click Add or select Add from the Actions menu.

      The Add Users search dialog is displayed.

    2. Enter a search string in the text box and click the arrow to search for External Users.

      Alternately, click Search with no search string to return all available External Users.

    3. Select one or more users from the results and click Add Selected.

      Alternately, click Add All to add all returned results.

    4. Click Add Principals.

11.6.3 Modifying Administrator Role Membership

To modify Administrator Role membership, delete the mappings as documented in this procedure.

  1. Select the System Configuration tab from the Home area.

  2. Double-click System Administrators in the Navigation Panel.

    Alternately, right-click System Administrators and select Open. The System Administrators page is displayed.

  3. Select the name of the Administrator Role from the table.

  4. Modify the Modify or View Administrator Control as necessary.

  5. Click the External Role Mapping tab.

    1. Select the External Role to delete.

    2. Click Remove.

      Alternately, select Remove from the Actions menu.

  6. Click the External User Mapping tab.

    1. Select the External User to delete.

    2. Click Remove.

      Alternately, select Remove from the Actions menu.

11.6.4 Deleting an Administrator Role

To delete an Administrator Role, proceed as follows.

  1. Select the System Configuration tab from the Home area.

  2. Double-click System Administrators in the Navigation Panel.

    Alternately, right-click System Administrators and select Open. The System Administrators page is displayed.

  3. Select the name of the Administrator Role from the table.

  4. Click Delete.

    A confirmation dialog is displayed.

  5. Click Remove.