22.6 Assigning Administrators in Identity Applications

An administrator assignment specifies a domain type (Provisioning, Role, Resource, and Security), as well as a set of permissions for the assignment. For more information, see Administrator and Manager Categories.

To assign administrative roles, you must either be a Security Administrator or have a Domain Administrator-type of role, such as Provisioning Administrator.

NOTE:Delegated administrators (Domain Managers) of a domain have no access to Administrator Assignments page.

The permissions for an administrator assignment define the actions that administrators can take on a particular scope of object instances within the domain type selected. For example, if you select the Role domain as the domain type for an assignment, the permissions determine what actions the administrators can take on the set of role instances selected as the scope for the assignment. These permissions might specify, for the selected scope of roles, that administrators can perform actions such as assigning roles to users, viewing role assignments, and deleting on role assignments.

IMPORTANT:Compliance, Configuration, and Reports domain types are discontinued from Identity Manager 4.7.1. This change does not remove the existing assignments that have been previously made to these domain types. However, you cannot edit those assignments.

The Reports domain type is deprecated with this release. You must use the Identity Reporting functionality to manage Identity Manager reports. This requires you to assign Reporting Administrator role to any users that you want to access the reporting functionality. You can assign this role to a user in one of the following ways within the identity applications:

By requesting Reporting Administrator role using the Request page. See, Requesting Permissions in NetIQ Identity Manager - User’s Guide to the Identity Applications.
By selecting Reporting Administrator role and assigning to a user in the Roles page. See, Assigning Roles to Users.

22.6.1 Listing the Administrator Assignments

You can search for administrator assignments by specifying the username. You can also filter the assignments by User, Group, Container, or Role categories.

22.6.2 Creating a New Administrator Assignment

You can create an administrator assignment for a user, group, container, or role type. Perform the following steps to create a new administrator assignment:

Click .
Specify the Initial Request Description that describes the purpose of this assignment.

Select the Domain Type from the list.

Domain	Description
Provisioning	This domain defines the rights to launch and retract process requests, manage addressee tasks, and configure delegate, proxy, and availability settings.
Role	This domain defines the rights to manage roles and SoDs, assign, revoke, and report on roles, as well as rights to configure role settings.
Resource	This domain defines the rights to manage resources, assign, revoke, and report on resources, as well as rights to configure resource settings and bind entitlements.
Security	This domain defines the rights to manage Identity Applications security, such as assign and revoke domain administrators and managers. This also provides the right to configure teams.

Select the Assignment Type for which you want to create an assignment.

This displays the list of users, groups, container, or roles based on the selected assignment type.
Select the required user, group, container or a role on from the provided list to create an assignment.
(Conditional) Specify the Effective Date for this assignment. If you do not specify any date, creates an assignment immediately.
(Conditional) Specify the Expiration Date for this assignment. If you do not specify any date, the expiration date is set to never.
(Conditional) To create a domain administrator assignment for the selected domain, enable All Permissions.

NOTE:This option cannot be edited after creating the assignment. For a delegated administrator, you can assign permissions individually. See, Assigning Permissions to a Delegated Administrator.

If this option is disabled, a delegated administrator is created for the selected domain.
Click Create.

22.6.3 Assigning Permissions to a Delegated Administrator

A delegated administrator has the ability to perform selected operations for a subset of authorized objects within the domain for all users. For more information about different types of users, see Types of User Categories in Identity Applications.

The permissions are displayed for an assignment based on the domain type of the assignment. For more information, see Step 3 in Creating a New Administrator Assignment.

To assign permissions for the assignment, you should select the required permissions from the categories. Following sections explain the permissions associated with the Identity Applications domain types:

Provisioning

This domain type consists of the permissions that are related to Provisioning Request Definitions (PRD) and User Application Driver.

Category	Permission
Provisioning Request Definition Permissions	This category allows you to assign any of the following permissions for the selected Provisioning Request Definition to a delegated administrator: Initiate PRD: Allows the user to initiate the selected provisioning requests. NOTE:The Initiate PRD permission has no effect on the behavior of the installed PRDs for resources and roles within the Identity Applications since these PRDs cannot be initiated directly from the Identity Applications. However, this permission does control whether these PRDs can be initiated from a SOAP call. Retract PRD: Allows the user to retract the selected provisioning requests when they are in progress. View Running PRD: Allows the user to view the selected provisioning requests when they are in progress. Configure Delegate: Allows the user to configure delegate assignments for the selected provisioning requests. Manage Addressee Task: Allows the user to manage tasks associated with the selected provisioning requests that have been addressed to other users. When this permission is enabled, Domain and Delegated Administrators can manage tasks for all users, including addresses and recipients. Managers are able to manage tasks for addressees, but not for recipients. Configure Availability: Allows the user to configure availability for tasks associated with the selected provisioning requests.
User Application Driver Permissions	This category allows you to assign the Configure Proxy permission to the delegated administrator. This permission allows the user to configure proxy assignments for the provisioning requests.

Role

This domain type consists the permissions related to roles, Separation of Duties, and configuration of role settings.

Category	Permission
Role Permissions	This category allows you to assign any of the following permissions for the selected Role Level or Roles to a delegated administrator: Create Role: Allows the user to create roles. Delete Role Allows the user to delete the selected roles. This setting applies only at the container level. At installation time, no user has the ability to delete system roles. However, the administrator may grant the user access to the system roles. Update Role and Role Relationship: Allows the user to update the selected roles and modify role relationships. This setting applies only at the container level. View Role: Allows the user to view the selected roles. This setting applies only at the container level. Assign Role to a User: Allows the user to assign users to the selected roles. IMPORTANT:Only the Security Administrator can assign system roles to a user. Revoke Role from a User: Allows the user to revoke user assignments for the selected roles. Assign Role To Group and Container: Allows the user to assign groups and containers to the selected roles. Revoke Role From Group and Container: Allows the user to revoke group and container assignments for the selected roles.
Separation of Duties Permissions	This category allows you to assign any of the following permissions for the selected SoDs to the delegated administrator: Create SoD: Allows the user to create the separation of duties constraints. Update SoD: Allows the user to update the selected separation of duties constraints. Delete SoD: Allows the user to delete the selected separation of duties constraints. View SoD: Allows the user to look at the selected separation of duties constraints.
Configuration Permissions	This category allows you to assign the Configure Role Settings permission to the delegated administrator. This permission allows the user to configure the settings of the roles subsystem.

Resource

This domain type consists the permissions related to resources, entitlements, and configuration of resource settings

Category	Permission
Resource Permissions	This category allows you to assign any of the following permissions for the delegated administrator: Create Resource: Allows the user to create resources. Delete Resource: Allows the user to delete the selected resources. Update Resource: Allows the user to update the selected resources. View Resource: Allows the user to view the selected resources. Assign Resource: Allows the user to assign users to the selected resources. Revoke Resource: Allows the user to revoke user assignments for the selected resources. If you want to provide access only for the specific container or resources. You can select Resource Sub Container or Select Resources and assign the required permissions for the administrator.
Entitlements Permissions	This category allows you to assign the Bind Entitlement permissions to the delegated administrator. This permission allows the user to bind entitlements with a resource for the selected drivers.
Configuration Permissions	This category allows you to assign the Configure Resource Settings permission to the delegated administrator. This permission allows the user to configure the settings of the resource subsystem.

Security

When you select this domain type all permissions are provided. Therefore, the assignments that belong to this domain type will have All permissions enabled at the time of assignment creation.

22.6.4 Deleting an Administrator Assignment

You can delete one or more assignments from the Administrator Assignments page. To delete multiple assignments, select multiple check boxes against the required assignments.