The Delegation plug-in aggregates policies and roles to determine the scope of a network administrator’s authority. The Authentication Service and the Policy Service then use the aggregated data to perform authentication and authorization processes. The Delegation plug-in works together with the Identity Repository Management plug-in (where default administrator roles are defined) to form rules that describe the scope of privileges for each network administrator, and specifies the roles to which these rules apply. The following is a list of roles defined by the Identity Repository Management plug-in, and the default rule the Delegation plug-in applies to each.
Table 1–4 Access Manager Administrator Roles and Scope of Privileges
Administrator Role |
Delegation Rule |
---|---|
Can access all data in all realms of the Access Manager information tree. |
|
Can access all data within a specific realm of the Access Manager information tree. |
|
Can access all policies in all realms of the Access Manager information tree. |
|
Can access policies only within the specific realm of the Access Manager information tree. |
The Delegation plug-in code is not public in Access Manager.