Delegation Plug-In (Sun Java System Access Manager 7 2005Q4 Technical Overview)

Sun Java System Access Manager 7 2005Q4 Technical Overview

Delegation Plug-In

The Delegation plug-in works together with the Identity Repository plug-in to determine a network administrator’s scope of privileges. Default administrator roles are defined in the Identity Repository plug-in. The Delegation plug-in forms rules that describe the scope of privileges for each network administrator, and also specifies the roles to which the rules apply. The following is a list of roles defined in the Identity Repository, and the default rule the Delegation plug-in applies to each role.

Table 1–5 Access Manager Roles and Scope of Privileges


Identity Repository Role	Delegation Rule
Realm Administator	Can access all data in all realms of the Access Control information tree.
Subrealm Administrator	Can access all data within a specific realm of the Access Control information tree.
Policy Administrator	Can access all policies in all realms of the Access Control information tree.
Policy Realm Administrator	Can access policies only within the specific realm of the Access Control information tree.

Authentication service and Policy service use the aggregated data to perform authentication and authorization processes. The Delegation plug-in code is not public in Access Manager.