Delegating Administrator Privileges (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

Delegating Administrator Privileges

OpenSSO Enterprise administrators are delegated responsibilities based on privileges assigned to groups. A privilege is an action that can be performed on a resource; for example, a READ operation on a log. Privileges can be dynamically assigned to users deemed administrators by creating a group, assigning to it the appropriate privilege, and adding the appropriate user as a member of the group.

Note –

For more information on groups, see Chapter 5, Creating Subjects.

Once a group is created, it appears under the realm's Privileges tab. To add privileges, click the group name and assign the appropriate operation. Members belonging to the group would then be able to perform the assigned operation(s). The following privileges can be delegated.

Read and write access to all configured agents delegates read and write permissions for all configured agent profiles to an agent administrator.
Read and write access to all log files delegates read and write permissions for all log records to a log administrator.

Caution –
OpenSSO Enterprise logging interfaces are public so it is possible that any authenticated user can read and write OpenSSO Enterprise log records. The log administrator privileges prevent this abuse. Policy agents, the main users of the logging interfaces, only require permission to write log records, and should not be delegated the permission to read them. Similarly, administrators who read log records should not be delegated the permission to write to them.
Read access to all log files delegates read permission for all log records to a log administrator.
Write access to all log files delegates write permission for all log records to a log administrator.
Read and write access only for policy properties delegates read and write permissions for all policies and policy configurations to a policy administrator. Policy administrators can create, modify and delete policies which consists of Rules, Subjects, Conditions and Response Attributes.

Caution –
In order to manage the policies themselves (not policy configurations), a policy administrator needs permission to read the identity data store(s) and should be delegated the Read and write access to all realm and policy properties permission.
Read and write access to all realm and policy properties delegates read and write permissions for all realm configurations data to a realm administrator. Realm administrators can create sub-realms, modify configurations for the realm's services and create, modify and delete Users, Groups, and Agents.

Note –

If you have upgraded Access Manager from version 7.0 to OpenSSO Enterprise, the privilege configuration differs from that of a fresh installation. To assign or modify privileges, click the name of the role or group you wish to edit and select from the following:

Read only access to data stores defines read access privileges to data stores. This privilege definition is for use only with Read and write access only for policy properties to control delegation for policy administrators.
Read and write access to all log files defines both read and write permission to log records for log administrators.
Write access to all log files defines write permission to log records for log administrators.
Read access to all log files defines only read permission to log records for log administrators.
Read and write access only for policy properties defines read and write permission regarding policies and policy configurations for policy administrators.
Read and write access to all realm and policy properties defines read and write permissions to all realm configurations data for realm administrators.
Read only access to all properties and services defines read permission to all properties and services. This privilege definition is for use only with Read and write access only for policy properties to control delegation for policy administrators.