The delegation model in Access Manager is based on privileges (or entitlements) that have been assigned to the administrators. A privilege is an operation (or action) that can be performed on a resource; for example, a READ operation on Policy objects. The set of operations that are defined are READ, MODIFY and DELEGATE. The resources are objects on which the actions can be performed, and can be either a configuration object or an identity object.
Examples of configuration objects are Authentication Configuration, Policies, Data Stores, and so forth. Examples of identity objects are Users, Groups, Roles, and Agents. A set of privileges can be dynamically created and added to Access Manager dynamically, however during installation, a small set of privileges are added to get Access Manager to properly run. Once the privileges are loaded, the privileges can be assigned to roles and groups. Users belonging to these roles and groups would be the delegated administrators and would be able to perform the assigned operations. Basically, administrators are users who are members of roles and groups to which a set of one or more privileges are assigned.
Access Manager 7.1 allows you to configure permissions for the following administrator types:
Realm administrators — Realm administrators have all the permissions for READ, MODIFY and DELEGATE operations for all objects (both configuration and identity objects). Realm administrators can be considered as “root” within a Unix system. Realm administrators can create sub-realms, modify configurations for all the services and also create, modify and delete Users, Groups, Roles and Agents.
Policy administrators — Policy administrators have permissions to manage policies and policy service configurations only. They can create, modify and delete policies which consists of Rules, Subjects, Conditions and Response Attributes. However in order to manage policies, these administrators need read permissions for Identity Repository Subjects and also Authentication configuration. These administrators are able to view the identities and authentication configurations.
Log administrators — Log administrators have permissions to read and/or write log records which can be used to protect the audit logs from being maliciously abused by rouge applications. Since logging interfaces are public, it is possible that any authenticated user can read and write logs records, and this privilege is added to prevent such abuse. The main users of logging interfaces are J2EE and Web Agents and these require only MODIFY privilege, and should not have READ privilege. Similarly, administrators who view the logs should have only READ privilege, and should not have MODIFY privilege. In order to cater for the these types of usages, the logging privileges are further sub-divided as follows:
Log administrators with Write Access – These administrators have permissions to write all log files.
Log administrators with Read Access – These administrators have permissions to read all log files.
Log administrators with Read and Write Access – These administrators have permissions to read and write to all log files.
A new installation instance of Access Manager 7.1 provides access permissions for policy administrators, realm administrators (or organization administrators in Legacy mode) and Log Administrators. To assign or modify privileges, click the name of the role or group you wish to edit. You can select from the following:
Defines both read and write access privileges to log administrators.
Defines only write access privileges to log administrators.
Defines only read access privileges to log administrators.
Defines read and write access privileges for policy administrators.
Defines read and write access privileges for realm administrators.
If you have upgraded Access Manager from version 7.0 to 7.1, the privilege configuration differs from that of a new Access Manager 7.1 installation, however privileges for policy administrators, realm administrators and log administrators are still supported. To assign or modify privileges, click the name of the role or group you wish to edit. You can select from the following:
Defines read access privileges to datastores for policy administrators.
Defines both read and write access privileges for log administrators.
Defines only write access privileges for log administrators.
Defines only read access privileges for log administrators.
Defines read and write access privileges for policy administrators.
Defines read and write access privileges for realm administrators.
Defines read access privileges to all properties and services for policy administrators.
Access Manager does not support the following definitions used either separately or together:
Read only access to data stores
Read only access to all properties and services
These privilege definitions must be used with the “Read and write access only for policy properties” definition to define delegation control for policy administrators.