Delegated Access Control Administration
Overview
Administrators can use delegated administration policy to delegate subsets of administrative privileges, changing role assignments and setting role blocks, to other users or groups, who in turn can turn delegate subsets of privileges to additional users and groups.
For example, user U can create or delete a role assignment for a specific user or group UG to a role identified by role type RT and resource R in either of the following cases:
- All of the following criteria are met:
- U has the Security Administrator@R or Administrator@R role
- U has at least a role of type RT on R
- U has the Delegator@UG, Security Administrator@UG, or Administrator@UG role.
- U has the Administrator@Portal or Security Administrator@Portal role
For example, in order to assign a group to a role of type Editor on a resource, have at least roles...
- Delegator@Group
- Security_Administrator@Resource
- Editor@Resource
Security Administrator@Portal and Administrator@Portal allows users to make unrestricted changes to the access control configuration of resources that are under internal portal control.
Administrator@External Access Control or Security Administrator@External Access Control allows users to change the access control configuration for resources externally controlled by a security manager such as Tivoli Access Manager.
The general policy for creating or deleting role blocks is as follows: A user U can create or delete a role block on a specific resource R and a role type RT in either of the following cases:
- If both of the following criteria are met:
- U has the Security Administrator@R or Administrator@R role
- U has at least a role of type RT on R
- or if U has the Security Administrator@Portal or Administrator@Portal role.
Example of the delegated administration policy
Mary needs the authority to delete Hans from the Editor@Market News Page role. Hans is a member of the Marketing group. She can do this if all of the following conditions are true:
- Mary is either Security Administrator@Market News Page or Administrator@Market News Page. She can acquire this role through an explicit role assignment, through an Administrator or Security Administrator role assignment on a parent resource, or by belonging to a group that has the appropriate role assignment.
- Mary is at least Editor@Marketing News Page, since Hans will be deleted from the Editor role type.
- Mary has a Delegator@Marketing Group role. Mary cannot delete arbitrary users or groups from the Editor@Market News Page role. She can delete only those users and groups for which she has a Delegator role. Because Hans is a member of the Marketing group, Mary has a Delegator role for Hans.
Parent
Controlling access