Delegated Access Control Administration

 

+
Search Tips   |   Advanced Search

 

 

Overview

Administrators can delegate subsets of their administrative privileges to other users or groups. These users or groups can in turn delegate subsets of their privileges to additional users and groups.

The delegated administration policy determines how users are permitted to delegate their privileges and defines which role assignments are necessary in order to perform specific changes to the access control configuration.

A user Foo can create or delete a role assignment for a specific user or group UG to a role identified by role type RT and resource R in either of the following cases:

  • All of the following criteria are met:

    • Foo has one of the following roles...

      • Security Administrator@R
      • Administrator@R role

    • Foo has at least a role of type RT on R

    • Foo has one of the following roles...

      • Delegator@UG
      • Security Administrator@UG
      • Administrator@UG

  • Foo has one of the following roles...

    • Administrator@Portal
    • Security Administrator@Portal

For example, in order to assign a group to a role of type Editor on a resource, have at least...

  • Delegator@Group
  • Security_Administrator@Resource
  • Editor@Resource

The roles...

  • Security Administrator@Portal
  • Administrator@Portal

...allow users to make unrestricted changes to the access control configuration of resources that are under internal portal control.

If resources are externally controlled by a security manager such as Tivoli Access Manager users also need one of the following roles...

  • Administrator@External Access Control
  • Security Administrator@External Access Control

A user Foo can create or delete a role block on a specific resource R and a role type RT in either of the following cases:

  • If both of the following criteria are met...

    • Foo has the roles...

      • Security Administrator@R
      • Administrator@R

    • Foo has at least a role of type RT on R

  • ...or if Foo has the roles...

    • Security Administrator@Portal
    • Administrator@Portal

 

Example of the delegated administration policy

Foo needs the authority to delete Hans from the Editor@Market News Page role. Hans is a member of the Marketing group. She can do this if all of the following conditions are true:

  • Foo is either...

    • Security Administrator@Market News Page
    • Administrator@Market News Page

    She can acquire this role through an explicit role assignment, through an Administrator or Security Administrator role assignment on a parent resource, or by belonging to a group that has the appropriate role assignment.

  • Foo is at least Editor@Marketing News Page, since Hans will be deleted from the Editor role type.

  • Foo has a Delegator@Marketing Group role.

    Foo cannot delete arbitrary users or groups from the Editor@Market News Page role. She can delete only those users and groups for which she has a Delegator role. Because Hans is a member of the Marketing group, Foo has a Delegator role for Hans.

 

Related information