Delegating Administrator Roles
About Delegating Administrator Roles
The access management system enables you to delegate various management tasks to different administrators through system administrator roles and security administrator roles. System and security administrator roles are defined entities that specify management functions and session properties for administrators who are mapped to those roles. You can customize an administrator role by selecting the feature sets, user roles, authentication realms, resource policies, and resource profiles that members of the administrator role are allowed to view and manage. Note that system administrators may only manage user roles, realms, and resource policies; only security administrators can manage administrator components.
For example, you can create a system administrator role called "Help Desk Administrators" and assign users to this role who are responsible for fielding tier 1 support calls, such as helping users understand why they cannot access a Web application or system page. In order to help with troubleshooting, you may configure settings for the "Help Desk Administrators" role as follows:
•Allow the help desk administrators Write access to the System > Log/Monitoring page so they can view and filter the system logs, tracking down critical events in individual users' session histories, as well as the Maintenance > Troubleshooting page so they can trace problems on individual users' systems.
•Allow the help desk administrators Read access to the Users > User Roles pages so they can understand which bookmarks, shares, and applications are available to individual users' roles, as well as the Resource Policy or Resource Profile pages so they can view the policies that may be denying individual users access to their bookmarks, shares, and applications.
•Deny the help desk administrators any access to the remaining System pages and Maintenance pages, which are primarily used for configuring system-wide settings-such as installing licenses and service packages-not for troubleshooting individual users' problems.
In addition to any delegated administrator roles that you may create, the system also includes two basic types of administrators: super administrators (Administrators role), who can perform any administration task through the admin console and read-only administrators (.Read-only Administrators role), who can view-but not change-the entire system configuration through the admin console.
You can also create a security administrator role called "Help Desk Manager" and assign users to this role who are responsible for managing the Help Desk Administrators. You might configure settings for the "Help Desk Manager" role to allow the Help Desk Manager to create and delete administrator roles on his own. The Help Desk Manager might create administrator roles that segment responsibilities by functional areas of the system. For example, one administrator role might be responsible for all log monitoring issues. Another might be responsible for all Network Connect problems.
All devices allow members of the .Administrators role to configure general role settings, access management options, and session options for the .Administrators and .Read-Only Administrators roles.
On certain pages, such as the role mapping page, the delegated administrator can view the role names even though the administrator does not have read/write access. However, the delegated administrator cannot view the details of that role.
Creating and Configuring Administrator Roles
You can use the Administrators > Admin Roles pages to set default session and user interface options for delegated administrator roles.
To create individual administrator accounts, you must add the users through the appropriate authentication server (not the role). For example, to create an individual administrator account, you may use settings in the Authentication > Auth. Servers > Administrators > Users page of the admin console. For detailed instructions on how to create users on the Administrators server and other local authentication servers. For instructions on how to create users on third-party servers, see the documentation that comes with that product.
To create an administrator role:
1.In the admin console, choose Administrators > Admin Roles.
2.Do one of the following:
•Click New Role to create a new administrator role with the default settings.
•Select the check box next to an existing administrator role and click Duplicate to copy the role and its custom permissions. Note that you cannot duplicate the system default roles (.Administrators and. Read-Only Administrators).
3.Enter a name (required) and description (optional) for the new role and click Save Changes.
4.Modify restrictions, session options, and UI options according to your requirements. Now you can set Number records to appear per page in tables.
If you select one of the system's default administrator roles (.Administrators or .Read-Only Administrators), you can only modify settings in the General tab (since the default system administrators roles always have access to the functions defined through the System, Users, Administrators, and Resource Policies tabs).
You cannot delete the Administrators and Read Only Administrators roles since they are default roles.
Specifying Management Tasks to Delegate
This topic contains information about delegating management tasks to various delegated administrator roles.
Delegating System Management Tasks
Use the Administrators > Admin Roles > Select Role > System tab to delegate various system management tasks to different administrator roles. When delegating privileges, note that:
•The system allows all administrators read-access (at minimum) to the admin console home page (System > Status > Overview), regardless of the privilege level you choose.
•The system does not allow delegated administrators write-access to pages where they can change their own privileges. Only those administrator roles that come with the system (.Administrators and.Read-Only Administrators) may access these pages:
•Maintenance > Import/Export (Within this page,.Read-Only Administrators can export settings, but cannot import them.)
•Maintenance > Push Config
•Maintenance > Archiving > Local Backups
Delegating User and Role Management
Use the Administrators > Admin Roles > Select Role > Users > Roles sub-tab to specify which user roles the administrator role can manage. When delegating role management privileges, note that:
•Delegated administrators can only manage user roles.
•Delegated administrators cannot create new user roles, copy existing roles, or delete existing roles.
•If you allow the delegated administrator to read or write to any feature within a user role, the system also grants the delegated administrator read access to the Users > User Roles > Select Role > General > Overview page for that role.
•If you grant a delegated administrator write access to a resource policy through the Administrators > Admin Roles > Select Administrator Role > Resource Policies page, he may create a resource policy that applies to any user role, even if you do not grant him read access to the role.
Delegating User Realm Management
Use the Administrators > Admin Roles > Select Role > Users > Authentication Realms tab to specify which user authentication realms the administrator role can manage. When delegating realm management privileges, note that:
•System administrators can only manage user realms.
•System administrators cannot create new user realms, copy existing realms, or delete existing realms.
•If you allow the system administrator to read or write to any user realm page, the system also grants the system administrator read-access to the Users > User Realms > Select Realm > General page for that role.
Delegating Administrative Management
Use the Administrators > Admin Roles > Select Roles > Administrators tab to specify which system administrator roles and realms the security administrator role can manage. When delegating security administrative privileges, note that:
•The security administrator role provides control over all administrative roles and realms.
•You can give a security administrator control exclusively over administrator roles, over administrator realms, or over both.
•You can restrict or grant the security administrator the permission to add and delete administrator roles and administrator realms.
Delegating Resource Policy Management
Use the Administrators > Admin Roles > Resource Policies tab to specify which user resource policies the administrator role can manage. When delegating resource policy management privileges, note that delegated system administrators cannot modify the following characteristics of resource policies:
•The resource itself (that is, the IP address or hostname).
•The order to evaluate the resource policies.
Delegating Resource Profile Management
Use the Administrators > Admin Roles > Resource Profiles tab to specify which user resource profiles the administrator role can manage. When delegating resource profile management privileges, note that delegated system administrators cannot modify the following characteristics of resource profiles:
•The resource itself (that is, the IP address or hostname)
•The order to evaluate the resource policies.