Delegated administration for Service Provider users is enabled through the use of Identity Manager admin roles, or through the organization-based authorization model.
Identity Manager provides delegation of administrative duties through the organization-based authorization model, by default.
Keep the following in mind when creating delegated administrators in an organization-based authorization model:
Service provider administrators are Identity Manager users with specific capabilities and controlled organizations.
The values of the users’ organization attributes can either be the name of the Identity Manager organization or the object ID. This depends on the setting of the Identity Manager Organization Attribute Name Contains ID field in the Identity Manager Main Configuration screen.
You can create an Identity Manager hierarchy and place organizations in that hierarchy in the way you want to delegate the administration of those organizations. Use specific identification for the organizations instead of the organizations’ simple names.
Service Provider users have their organization taken from user attributes in the directory server.
You must set attributes in the schema map for the directory server resource.
The comparison of attributes is by exact match to an administrator’s controlled organization list. The value stored in the directory must match the organizations name, not the entire hierarchy. If an administrator controls Top:orgA:sub1, then sub1 must be the value stored in the organization attribute for the Service Provider user.
If the attribute is not set or does not correspond to an Identity Manager organization, the Service Provider user is treated as a member of the Top organization. This requires that the Service Provider administrators have Service Provider user capabilities in Top to manage these users.
Attribute settings determine the scope for searches by Service Provider administrators.
To create a delegated administrator account, you first create an Identity Manager administrator and then add Service Provider administrator capabilities. There are capabilities specific to Service Provider tasks which can be assigned to the user (on the Security Tab of the Edit User page). The controlled organizations specify which Service Provider users the administrator can modify. Any resources available to Service Provider users are available to all Identity Manager administrators.
For more information about Identity Manager delegated administration, see Delegated Administration in Chapter 6, Administration
For granting fine-grain capabilities and scope of control on Service Provider users, use a Service Provider User Admin Role. The Admin Roles can be configured to be dynamically assigned to one or more Identity Manager or Service Provider Users at login time.
Rules can be defined and assigned to Admin Roles that specify the capabilities (such as Service Provider Create User) granted to users assigned the admin role.
To use Admin Role delegation for service provider users, you must enable it in the Identity Manager system configuration object (Editing Identity Manager Configuration Objects).
If delegation through Admin Role assignment is enabled, then the IDM Organization Attribute Name in the Service Provider Configuration is not required.
To enable service provider admin role delegation (Service Provider delegated administration), open the system configuration object for modification (Editing Identity Manager Configuration Objects) and set the following property to true:
security.authz.external.app name.object type
where app name is the Identity Manager application (such as Administrator Interface) and object type is Service Provider Users
This property can be enabled per Identity Manager application (for example, for the Administrator Interface or User Interface) and per object type. Currently, the only supported object type is Service Provider Users. The default value is false.
For example, to enable Service Provider Delegated Administration for Identity Manager administrators, set the following attribute in the System Configuration configuration object to “true”:
security.authz.external.Administrator Interface.Service Provider Users
If Service Provider Delegated Administration is disabled (set to false) for a given Identity Manager or Service Provider application, the organization-based authorization model is used.
When Service Provider Delegated Administration is enabled, tracked events capture information about the number and duration of authorization rules executed. These statistics are available in the dashboard.
To configure a Service Provider User Admin Role, create an admin role and specify the scope of control, capabilities, and to whom it should be assigned.
Before creating a Service Provider User Admin Role, define the search context, search filter, after search filter, capabilities, and user assignment rules for the admin role.
To use the following rules, you must specify the rule's authType:
SPEUsersSearchContextRule
SPEUsersSearchFilterRule
SPEUsersAfterSearchFilterRule
CapabilitiesOnSPEUserRule
UserIsAssignedAdminRoleRule
SPEUserIsAssignedAdminRoleRule
Identity Manager provides sample rules that you can use to create these rules for Service Provider User Admin Roles. These rules are available in sample/adminRoleRules.xml in the Identity Manager installation directory.
For more information about creating these rules for your environment, see Sun Identity Manager Service Provider 8.1 Deployment.
In the Administrator interface, click Security on the menu, then click Admin Roles.
The Admin Roles page opens.
Click New.
The Create Admin Role page opens.
Specify a name for the admin role and select Service Provider Users for the type.
Specify the Scope of Control, Capabilities, and Assign To Users options, as described in the following sections.
The scope of control for the service provider user admin role specifies which service provider users a given Identity Manager administrator, Identity Manager end user, or Identity Manager service provider end user is allowed to see. It is enforced when a request is made to list Service Provider Users in the directory.
You can specify one or more of the following settings for the Service Provider User Admin Role scope of control:
User search context. Specify whether a rule or text string is to be used to begin a search.
If None is specified, the default search context will be the base context specified in the Identity Manager Resource configured as the Service Provider User directory.
User search filter. Specify whether a rule or a text string that is to be applied for the search filter.
The text string specified or returned by the selected rule should be an LDAP-compliant search filter string that represents the set of users, within the search context, that will be controlled by users assigned this Admin Role. The specified filter will be combined with the user specified search filter to ensure that users returned from the search do not include any users that users assigned this AdminRole are not authorized to list.
After user search filter rule. Select a rule that will be applied after the User search filter is applied.
This rule is run after the initial LDAP search is performed against the Service Provider User directory and evaluates the results to determine which distinguished names (dn) the requesting user is allowed to access.
This type of rule can be used when you need to determine if a user should be in the requesting user’s scope of control using non-LDAP user attributes (for example, group membership), or when the filter decision needs to be made using a repository other than the Service Provider User directory (for example, an Oracle database or RACF).
Capabilities for the Service Provider User Admin Role specify which capabilities and rights the requesting user has on the Service Provider User for which access is being requested. It is enforced when a request is made to view, create, modify, or delete a Service Provider User.
On the Capabilities tab, select the Capabilities Rule to apply for this admin role.
Service Provider User Admin Roles can be dynamically assigned to service provider users by specifying a rule that will be evaluated at login time to determine whether to assign the authenticating user the Admin Role.
Click the Assign To Users tab, and select the rule to apply for the assignment.
Dynamic assignment of Admin Roles to users must be enabled for each login interface (for example, the User interface and the Administrator interface) by setting the following System Configuration object (Editing Identity Manager Configuration Objects) to true:
security.authz.checkDynamicallyAssignedAdminRolesAtLoginTo.logininterface
The default for all interfaces is false.
By default, Service Provider Users can assign (or delegate) Service Provider User Admin Roles assigned to them to other Service Provider Users in their scope of control.
In fact, any Identity Manager User with capabilities to edit Service Provider Users can assign the Service Provider User Admin Roles assigned to them to the service provider users in their scope of control.
A Service Provider User Admin Role can also include a list of Assigners who can assign the Admin Role regardless of scope of control. These direct assignments can ensure that at least one known user account can assign the Admin Role.