Administrators

An administrator is someone who can access Policy Server objects and tools.
sm1252sp1
An administrator is someone who can access Policy Server objects and tools.
You can create multiple administrator accounts so that different administrators have privileges according to their roles in an organization. This model allows you to delegate the management of Policy Server objects and tools to others.
A default super user account with full system privileges is created when you configure the policy store, which is the default source of administrator identities. This default configuration lets you manage the environment immediately after installing the software.
We recommend configuring an external administrator user store instead of using the default super user account.
Default Super User Administrator
When you install the Policy Server and configure the policy store, a default super user account is created. This account has the maximum system privileges, which permit the following operations:
  • Registering the Administrative UI with a Policy Server.
  • Creating any Policy Server object, including other administrator accounts.
  • Using the Policy Server tools.
  • Trusted Host administration.
  • Managing the Policy Management API.
The default superuser account has the following credentials:
  • User Name
    siteminder
  • Password
    The password that you specified when configuring the policy store.
Administrator Accounts
Administrator accounts can be used to perform the following administration tasks:
  • Manage Policy Server objects using the Administrative UI
  • Use Policy Server tools
To delegate privileges to other administrators, create more administrator accounts. Administrator accounts define the following properties:
  • Scope
    Specifies whether the Administrator can access all
    CA Single Sign-On
    data or only those objects that are defined in an assigned administrative
    Workspace
    .
  • Access methods
    Specifies what methods the Administrator can use to access and manage the data.
  • Rights
    Specifies what categories of objects the Administrator can access, and whether they can only view or modify those objects.
These properties let you create administrators and assign privileges to match the administrative roles in your organization.
You can only create more Administrator accounts that are associated with administrative users in an external administrator store. However, these Administrator accounts are automatically generated for Legacy Administrator records stored in the policy store to allow those administrators to access the Administrative UI.
Legacy Administrator Accounts
Legacy Administrators perform the following tasks:
  • Use Policy Server tools, such as smobjimport and smobjexport.
  • AdministerTrusted Hosts. Trusted Host Administrators can run the host registration process from the
    CA Single Sign-On
    agent host system. The registration process configures Agent to Policy Server connections.
  • Use the Policy Management API.
    A Legacy Administrator account is required when your environment includes a script or program that uses the Policy Management API. Create a Legacy Administrator with authentication privileges for executing those functions using the Policy Management API. 
sm1252sp1
Legacy Administrators can access the Administrative UI when the policy store is configured as the source of administrator identities (the default). However, after an external administrator store is configured, Legacy Administrator accounts
cannot
access the Administrative UI.
Administrator Store Options
By default, the Administrative UI uses the policy store as its source of administrator identities. However, we recommend that you use an external administrator user store, such as a corporate directory, for further administrator accounts.
Consider the following factors when deciding where to store administrator identities:
  • If you are configuring the Administrative UI with a single Policy Server, use the policy store to store administrator identities.
  • If you are configuring the Administrative UI with multiple Policy Servers, use an external administrator store.
  • If you store administrator identities in the policy store, establish a new administrator record in the policy store by creating a Legacy Administrator.
  • If you store administrator identities in an external store, create Administrator accounts to locate administrator records in the external store.
    After an external administrator store is configured, creating new Legacy Administrators or associating any Administrator accounts with Legacy Administrators is prohibited.
  • An external administrator store ensures that multiple Administrative UI instances share a set of administrators. By default, the Administrative UI uses the policy store that is configured with the registered Policy Server.