Residual effects of delegated administration on admin results in IBM Security Verify Access for Web

Residual effects of delegated administration on admin results

If operations are permitted, additional permissions can be verified by the API to determine if a different subset of result must be returned. The permission check in this case does not permit or deny the whole operation. It affects only the result set returned, instead. The following table shows the additional effects of delegated administration on the result set. It also assumes that no ACLs are added on delegation protected objects under /Management/Groups. This assumption reduces many of the delegated administration complexities into simpler behavior.

Operation Permission to be checked

RgyUser.listGroups() RgyUser.listNativeGroups() Check permission DELADMIN_VIEW(“v”) on "/Management/Users". If permitted, return group list. Otherwise, check permission DELADMIN_VIEW on "/Management/Groups".If permitted, return group list. Otherwise, return an empty list.

RgyRegistry.listUsers({pattern})
Check permission DELADMIN_VIEW(“v”)on "/Management/Users".
If permitted, return a list of users matching {pattern}. Otherwise, check permission DELADMIN_VIEW(“v”) on "/Management/Groups".
If permitted, return a list of users matching the {pattern}. In this case, the current API returns only users that are a member of at least one Security Verify Access group. If not permitted, return an empty list.

RgyRegistry.listNativeUsers({pattern})
Check permission DELADMIN_VIEW(“v”) on "/Management/Users".
If permitted, return a list of users dns with attribute matching pattern (both Security Verify Access and non-Security Verify Access user dn). Otherwise, check permission DELADMIN_VIEW(“v”) on "/Management/Groups".
If permitted, return a list of user dn with attribute matching pattern. In this case, the current API only returns dn where the actual dn matches the pattern and only dn ISAM users that are a member of at least one Security Verify Access group. If not permitted, return an empty list.

RgyRegistry.createGroup()
New code is unable to create group delegation protected object.

RgyGroup.importNativeGroup()
New code is unable to create group delegation protected object.

RgyRegistry.deleteGroup()
New code is unable to delete group delegation protected object, if it exists.

RgyRegistry.listGroups({pattern})
List all groups with ISAM ID matching pattern. Check configuration option "[delegated-admin]authorize-group-list = yes/no" if authorize-group-listreturn groupList.
Otherwise, check perm DELADMIN_VIEW(“v”) on "/Management/Groups".
If permitted, return the groupList. Otherwise, return empty list.

RgyRegistry.listNativeGroups({pattern})
groupList = list all group DNs with attribute matching {pattern} check config option "[delegated-admin] authorize-group-list = yes/no" if !authorize-group-list: return groupList else check permisson DELADMIN_VIEW(“v”) on "/Management/Groups" if permitted: return groupList else return empty list

Parent topic: Authorization

Operation	Permission to be checked
RgyUser.listGroups() RgyUser.listNativeGroups()	Check permission DELADMIN_VIEW(“v”) on "/Management/Users". If permitted, return group list. Otherwise, check permission DELADMIN_VIEW on "/Management/Groups".If permitted, return group list. Otherwise, return an empty list.
RgyRegistry.listUsers({pattern})	Check permission DELADMIN_VIEW(“v”)on "/Management/Users". If permitted, return a list of users matching {pattern}. Otherwise, check permission DELADMIN_VIEW(“v”) on "/Management/Groups". If permitted, return a list of users matching the {pattern}. In this case, the current API returns only users that are a member of at least one Security Verify Access group. If not permitted, return an empty list.
RgyRegistry.listNativeUsers({pattern})	Check permission DELADMIN_VIEW(“v”) on "/Management/Users". If permitted, return a list of users dns with attribute matching pattern (both Security Verify Access and non-Security Verify Access user dn). Otherwise, check permission DELADMIN_VIEW(“v”) on "/Management/Groups". If permitted, return a list of user dn with attribute matching pattern. In this case, the current API only returns dn where the actual dn matches the pattern and only dn ISAM users that are a member of at least one Security Verify Access group. If not permitted, return an empty list.
RgyRegistry.createGroup()	New code is unable to create group delegation protected object.
RgyGroup.importNativeGroup()	New code is unable to create group delegation protected object.
RgyRegistry.deleteGroup()	New code is unable to delete group delegation protected object, if it exists.
RgyRegistry.listGroups({pattern})	List all groups with ISAM ID matching pattern. Check configuration option "[delegated-admin]authorize-group-list = yes/no" if authorize-group-listreturn groupList. Otherwise, check perm DELADMIN_VIEW(“v”) on "/Management/Groups". If permitted, return the groupList. Otherwise, return empty list.
RgyRegistry.listNativeGroups({pattern})	groupList = list all group DNs with attribute matching {pattern} check config option "[delegated-admin] authorize-group-list = yes/no" if !authorize-group-list: return groupList else check permisson DELADMIN_VIEW(“v”) on "/Management/Groups" if permitted: return groupList else return empty list