+

Search Tips   |   Advanced Search

Delegated Access Control Administration


IBM WebSphere Portal supports delegated access control administration.


Description of delegated administration and policy

This topic describes the delegation of access control administration and policy, and gives an example of the delegated administrative policy.


Delegated Administration

WebSphere Portal supports delegated access control administration. An administrator is a user who is authorized to modify the access control configuration by changing role assignments and creating or deleting role blocks. Administrators can delegate specific subsets of their administrative privileges to other users or groups. These users or groups can in turn delegate subsets of their privileges to additional users and groups. The delegated administration policy determines how users are permitted to delegate their privileges.

Delegated Administration Policy:

The delegated administration policy defines which role assignments are necessary in order to perform specific changes to the access control configuration.

The general policy for creating or deleting role assignments is as follows: A user U can create or delete a role assignment for a specific user or group UG to a role identified by role type RT and resource R in either of the following cases:

For example, in order to assign a group to a role of type Editor on a resource, you must have at least the Delegator@Group + Security_Administrator@Resource + Editor@Resource roles.

The Security Administrator@Portal and Administrator@Portal roles allow users to make unrestricted changes to the access control configuration of resources that are under internal portal control. Users also need the Administrator@External Access Control role or the Security Administrator@External Access Control role in order to change the access control configuration for resources that are externally controlled by a security manager such as Tivoli Access Manager.

The general policy for creating or deleting role blocks is as follows: A user U can create or delete a role block on a specific resource R and a role type RT in either of the following cases:


Example of the delegated administration policy

Mary needs the authority to delete Hans from the Editor@Market News Page role. Hans is a member of the Marketing group. She can do this if all of the following conditions are true:


Parent: Controlling access