Administration users

We can create administration accounts with varying degrees of responsibility. Responsibility is delegated to administrators through strategically placed administration ACLs. The following list illustrates possible administration roles:

Security policy administrator
Security policy administrators are responsible for defining and organizing security policy in a domain. The administrator needs to be able to create, modify, and delete security policy. To do these tasks, these administrators need the following permissions on the /Management/ACL, /Management/POP, and /Management/Rule resources:

  • Traverse (T)

  • Browse (b)

  • View (v)

  • Modify (m)

  • Delete (d)

These administrators need the following permissions to navigate their subtree of protected resources:

  • Traverse (T)

  • Browse (b)

  • View (v)

These administrators need the following permission to ability to attach and detach a security policy to the same subtree:

  • Attach (a)

These administrators must have the following permissions so as not to be affected by security policies that apply to all users for the same subtree.

  • Bypass POP (B)
  • Bypass rule (R)

Protected resource administrator
Protected resource administrators are responsible for adding and removing user access to one or more protected resources. These tasks include:

  • Add users to and removing users from groups defined in the security policy

  • Add permissions to and removing permissions from resources

These administrators need the following permissions on the /Management/Groups protected resource or on the individual groups defined in the /Management/Groups subtree:

  • Traverse (T)

  • Browse (b)

  • View (v)

  • Add (A)

Deployment administrator
Deployment administrators are responsible for installation and configuration of the resource managers in the domain. These administrators need the following permissions on the /Management/Server protected resource:

  • Traverse (T)

  • Browse (b)

  • View (v)

  • Modify (m)

  • Delete (d)

These permissions give the ability to configure resource managers into and out of the domain and update their configuration. See Permissions attribute.

Parent topic: Default administration users and groups