Administration users

You can create administration accounts with varying degrees of responsibility. Responsibility is delegated to administrators through strategically placed administration ACLs.

The following list illustrates possible administration roles:
Security policy administrator
Security policy administrators are responsible for defining and organizing security policy in a domain. The administrator needs to be able to create, modify, and delete security policy. To do these tasks, these administrators need the following permissions on the /Management/ACL, /Management/POP, and /Management/Rule resources:
  • Traverse (T)
  • Browse (b)
  • View (v)
  • Modify (m)
  • Delete (d)
These administrators need the following permissions to navigate their subtree of protected resources:
  • Traverse (T)
  • Browse (b)
  • View (v)
These administrators need the following permission to ability to attach and detach a security policy to the same subtree:
  • Attach (a)
These administrators must have the following permissions so as not to be affected by security policies that apply to all users for the same subtree.
  • Bypass POP (B)
  • Bypass rule (R)
Protected resource administrator
Protected resource administrators are responsible for adding and removing user access to one or more protected resources. These tasks include:
  • Adding users to and removing users from groups that are defined in the security policy
  • Adding permissions to and removing permissions from resources
These administrators need the following permissions on the /Management/Groups protected resource or on the individual groups that are defined in the /Management/Groups subtree:
  • Traverse (T)
  • Browse (b)
  • View (v)
  • Add (A)
Deployment administrator
Deployment administrators are responsible for installation and configuration of the resource managers in the domain.
These administrators need the following permissions on the /Management/Server protected resource:
  • Traverse (T)
  • Browse (b)
  • View (v)
  • Modify (m)
  • Delete (d)

These permissions give the ability to configure resource managers into and out of the domain and update their configuration. See Permissions attribute.