Delegated administration of Service Provider users is enabled through the following means:
Service Provider administrators are Identity Manager users that are assigned capabilities and can control organizations. These administrators can be created and maintained in the same way as Identity Manager administrators.
Several different levels of administrators might be needed in your environment to perform various tasks, such as the following:
The lowest level of administrator might be permitted to create and edit end user (customer) accounts only. There might be thousands administrators with these capabilities.
Another level of administrator might be permitted to create, edit, and delete low-level administrators as well as customer accounts. There might be hundreds of such administrators.
A set of administrators to manage the LDAP directory and other resources. There might be several dozen of this type of administrator.
A few high-level administrators that have super user abilities.
The last two categories of administrators would likely be created and maintained manually in the Administrator Interface. However, to create the lower-level administrators, perform the following tasks:
Review the object classes and attributes present in your LDAP directory and determine which of these items contain data that indicates the user should have administrative powers. For example, you might have an attribute that indicates a user is a retailer or manager. A retailer would have the ability to create accounts. A manager might be permitted to create retailer accounts.
Add the attributes to the schema map of the LDAP resource.
Determine how you will limit the scope of each administrator. For example, a retailer based in Texas probably should not be allowed to create accounts for users who live in New York. Similarly, a manager should not be allowed to delete accounts outside her realm.
Create organizations in Identity Manager that correspond to the scopes defined in the previous step.
Create a user form that creates an Identity Manager account, assigns capabilities as well as an organization for each administrator. The user form must use the attributes defined in Organization-Based Authorization.
Use reconciliation or other data loading mechanism to load the administrator accounts into Identity Manager.
For granting fine-grain capabilities and scope of control on Service Provider users, use an Admin Role whose authType is ServiceProviderUserAdminRole. The Admin Roles can be configured to be dynamically assigned to one or more Identity Manager or Service Provider Users at login time.
Rules can be defined and applied to the Admin Roles that specify the capabilities (such as Service Provider Create User) of the members of that admin role.
To use Admin Role delegation for Service Provider users, you must enable it in the Identity Manager system configuration object. See Business Administrator's Guide for detailed information about this task.
To define this type of Admin Role, you must create one or more rules. See Delegated Administration for more information.