CloudAccess provides the ability to assign different roles to administrative users in your identity sources. The roles allow administrators to perform certain tasks and deny them access to other tasks.
CloudAccess includes the following types of roles:
Appliance Administrator: One or more users can have the appliance administrator role in CloudAccess. You assign the first appliance administrator account during the initialization of the appliance.
The first appliance administrator has rights to access the Admin, Roles, Policy, Reports, and Devices pages. This administrator has rights to add and remove identity sources, tools, nodes, and applications. However, this administrator does not have application ownership and approval rights by default.
When an appliance administrator assigns a user the appliance administrator role, the new administrator also has rights to access the Admin, Roles, Policy, Reports, and Devices pages. However, like the first appliance administrator, subsequent administrators do not have ownership and approval rights by default.
Only appliance administrators can add SaaS applications, such as Google Apps and Salesforce. Any appliance administrator that imports and applies a SaaS application is also made that application owner and has rights to the Approvals page for that specific application. An administrator who is also an application owner can assign another administrator to be the application owner and application approver, and can either keep or remove himself from those roles.
Application Owner: The application owner controls access to the SaaS applications. CloudAccess automatically assigns this role to the user who creates the SaaS application on the Admin page. The application owner can access the following web pages:
Approvals: The application owner can allow or deny approvals for users to obtain a SaaS application account.
Policy: The application owner can map authorizations between the identity source and the SaaS application and optionally require approval for authorizations.
Roles: The application owner can add or remove users from the application approver role.
Application Approver: The application approver can access the Approvals page and allow or deny approvals for users to obtain a SaaS application account. CloudAccess automatically assigns this role to the administrator who creates the SaaS application on the Admin page.
Compliance Auditor: The compliance auditor can access the Reports page and generate, view, and download the reports for the appliance. Users assigned to the appliance administrator role automatically have access to the Reports page.
Device Administrator: The device administrator can view and delete other users’ registered mobile devices on the Devices page. Users assigned to the appliance administrator role automatically have the device administrator role (though device administrators do not automatically have the appliance administrator role).
Helpdesk: The helpdesk administrator manages the Self-Service User Store users. The helpdesk user can delete users and reset passwords.
In addition to the default role assignments, you can assign each role to additional users. However, the Roles page never allows you to remove the last appliance administrator role.
Log in to the Admin page at https://appliance_dns_name/appliance/index.html as the appliance administrator or application owner.
Click Roles on the toolbar.
Type the name of a user into the search filter field, then click Search. Matching users are displayed in the left column.
NOTE:If you use wildcards such as an asterisk (*) or question mark (?) in the search filter field, CloudAccess does not correctly filter results. Filters must be full regular expressions. If you want to use wildcards, they must be regular expression wildcards. If the filter does not start with '^' and '.*', then '.*' is added to the filter. If the filter does not end with '$' and '.*', then '.*' is added to the filter. Thus, a filter for "test" would end up as the regular expression ".*test.*".
Drag and drop the user to the role you want to assign to that user, then click OK to confirm the assignment.
The Roles page displays only the application owner and application approver roles of configured SaaS connectors.