Predefined Roles and Permissions

There are a number of roles and permissions predefined in Policy Manager. Any user added to a role automatically inherits the permissions for that role. If a user is added to multiple roles, that user is granted permissions from all the roles. 
gateway83
There are a number of roles and permissions predefined in Policy Manager. Any user added to a role automatically inherits the permissions for that role. If a user is added to multiple roles, that user is granted permissions from all the roles. 
Role
Permissions
For more information, see...
Administrator
Create, read, update, and delete any object in the system.
This role provides unrestricted access to the CA API Gateway.  The Policy Manager describes the features from an Administrator perspective.
Gateway Maintenance
Create, read, and update configuration for the FTP Audit Archiver. Delete any audit record.
The hidden cluster property 
audit.archiver.ftp.config
 stores the configuration of the FTP Audit Archiver that is visible on the interface. Contact your system administrator before modifying this property.
FTP Audit Archiver
Invoke Audit Viewer Policy
Users with this role will be permitted to invoke the Audit Viewer Policy.
Invoke the Audit Viewer Policy in Gateway Audit Events. Working with Internal Use Policies
Manage Administrative Accounts Configuration
Create, read, and update cluster properties applicable to administrative account configuration: 
logon.maxAllowableAttempts, logon.lockoutTime, logon.sessionExpiry,
 and 
logon.inactivityPeriod
.
These cluster properties can also be set using the Manage Administrative Users task.
Manage Administrative User Account Policy Time Units
Manage Certificates (truststore)
Create, read, update, and delete trusted certificates and policies for revocation checking.
Certificate Expiration Notification Manage Certificate Validation
Manage Cluster Properties
Create, read, update, and delete any cluster property.
Manage Cluster-Wide Properties Time Units
Manage Cluster Status
Create, read, update, and delete cluster status information.
Dashboard - Cluster Status
Manage Custom Key Value Store
Create, read, update, and delete key values from custom key value store.
Custom Assertions API
Manage Email Listeners
Create, read, update, and delete email listeners.
Manage Email Listeners
Manage Encapsulated Assertions
Create, read, update, and delete encapsulated assertions. Read any policy fragment. Read all assertions.
Manage Encapsulated Assertions Working with Policy Fragments
Manage Firewall Rules
Create, read, update, and delete firewall rules.
Manage Firewall Rules
Manage JDBC Connections
Create, read, update, and delete JDBC connections.
Manage JDBC Connections
Manage Listen Ports
Create, read, update, and delete CA API Gateway listen ports (both HTTP(S) and FTP(S)) and to list published services.
Manage Listen Ports
Manage Log Sinks
Create, read, update, and delete log sinks. Read access to the following entities:
  • Email listeners
  • Folders
     
    Identity Providers
  • JMS Destinations
  • Listen ports
  • Log files
  • Policies
     
    Services
  • Users
Manage Email Listeners  Organize Services and Policies into Folders Impact of Security Zones  Manage JMS Destinations  Manage Listen Ports  Manage Log Sinks  View Logs  Policies  "The differentiates between SOAP web services and XML or non-SOAP applications. Collectively referred to as "services", each requires a different publication wizard:"
Manage Message Destinations
Create, read, update, and delete message destinations. This includes:
  • Create, read, update, and delete JMS Connections
  • Create, read, update, and delete JMS Endpoints
  • Create, read, update, and delete Polling Listeners
  • Read Private Keys
  • Read Private Key Stores
  • Read Published Services
  • Read Secure Passwords
Manage JMS Destinations  Manage Listen Ports Managing Private Keys  Manage Published Services  Manage Stored Passwords
Manage Modules Installable via Policy Manager
Read, Create, Update, and Delete server module files.
Manage File Server Module Files
Manage Modules Installable via Policy Manager
Read, Create, Update, and Delete server module files.
Manage Server Module Files
Manage Password Policies
Read and update the password policy.
Manage Password Policy  
Manage Private Keys
Create, read, update, and delete private keys, as well as ability to change the default SSL key and default CA key.
Manage Private Keys Private Key Properties
Manage Secure Passwords
Read, create, update, and delete any stored password.
Manage Stored Passwords
Manage CA Single Sign-On Configuration
Read, create, update, and delete CA Single Sign-On configurations. This includes the Read all secure passwords.   
Manage CA Single Sign-On Configurations Manage Stored Passwords
Manage UDDI Registries
Create, read, update, and delete any UDDI registry connection.
Managing UDDI Registries Publish to UDDI Settings  Service Properties
Manage Web Services
Publish any new web service and edit existing users. Edit a global policy fragment.
Create, read, update any policy. Delete any policy, excluding global policy fragments, internal policies, and policy fragments.
Read any encapsulated assertion.
Working with SOAP Web Services  Working with Global Policy Fragments Service Properties Working with Internal Use Policies Working with Policy Fragments
Manage 
[name]
 
Folder
Read, update, and delete the contents, including aliases*, of the named folder. If there are nested sub folders, these privileges extend to the sub folder and its contents as well.
  • Only if user also has a role granting access to the original service or policy. The type of folder role ('Manage' or 'View') does not affect what can be done to an alias.
Organizing Services and Policies into Folders Working with Aliases
Manage 
[name]
 
Identity Provider
Read, update, and delete the named identity provider. Also create, search, update, and delete its users and groups.
Federated Identity Providers LDAP Identity Providers Federated Identity Provider Users and Groups
Manage 
[name]
 
Policy
Read, update, and delete the named policy (either included fragment, global fragment, or internal use policy).  Read any encapsulated assertion.
Creating a Policy  Encapsulated Assertions
Manage 
[name]
 
Service
Read, update, and delete the named service.
"The differentiates between SOAP web services and XML or non-SOAP applications. Collectively referred to as "services", each requires a different publication wizard: Service Properties  Encapsulated Assertions
Manage 
[name]
 
Zone
Create, read, update, and delete entities in the named security zone.  View the root node folder.
Understanding Security Zones  Manage Security Zones
Operator
Read-only access to the CA API Gateway.
Similar to the 
Administrator
role, except permissions are read only. To allow other permissions, assign other roles.  Policy changes made with an Operator role cannot be saved (both [
Save
] and [
Save and Activate
] buttons are disabled). However, policy changes can be preserved by exporting the policy.
Publish External Identity Providers
Create any external (LDAP or Federated) Identity Provider.
Federated Identity Providers  LDAP Identity Providers
Publish Web Services
Publish any new web service.  Read any encapsulated assertion.
Publish SOAP Web Service Wizard Search Identity Providers Encapsulated Assertions
Search Users and Groups
Search and view users and groups in all identity providers.
Search Identity Providers
View
 
[name] 
Folder
View the contents of the named folder, including the contents of any nested folders. Does not imply permission to view aliases, unless user also holds a role granting access to the original service or policy. The type of folder role ('Manage' or 'View') does not affect what can be done to an alias.If a folder is nested within another folder, this role can see the parent folder(s) but not the contents of the parent folders.
Organize Services and Policies into Folders Working with Aliases
View Audit Records
View audits in the Policy Manager.
Gateway Audit Events View Logs
View Service Metrics
View any cluster node information, published service, service metrics bin, and service usage record.
Dashboard - Cluster Status
View
 
[name] 
Log Sink
View the contents of the named log sink, including any log files associated with the sink.
View Logs  Manage Log Sinks
View
 
[name] 
Zone
View the entities within the named security zone. View the root node folder.
Understanding Security Zones