In Access Manager Realm mode, the Delegation plug-in works with the Identity Repository plug-in to determine a network administrator's scope of privileges. Default administrator roles are defined in the Identity Repository plug-in. The Delegation plug-in forms rules that describe the scope of privileges for each network administrator, and also specifies the roles to which the rules apply. The following table lists the roles defined in the Identity Repository and the default rule the Delegation plug-in applies to each role.
Table 3–1 Access Manager Roles and Scope of Privileges in Realm Mode
Identity Repository Role |
Delegation Rule |
---|---|
Realm Administator |
Can access all data in all realms of the Access Manager information tree. |
Subrealm Administrator |
Can access all data within a specific realm of the Access Manager information tree. |
Policy Administrator |
Can access all policies in all realms of the Access Manager information tree. |
Policy Realm Administrator |
Can access policies only within the specific realm of the Access Manager information tree. |
The Authentication service and Policy service use the aggregated data to perform the authentication and authorization processes. The code for the Delegation plug-in and Identity Repository plug-in are not public in Access Manager.