An administrator assignment specifies a domain type (Provisioning, Role, Resource, and Security), as well as a set of permissions for the assignment. For more information, see Administrator and Manager Categories.
To assign administrative roles, you must either be a Security Administrator or have a Domain Administrator-type of role, such as Provisioning Administrator.
NOTE:Delegated administrators (Domain Managers) of a domain have no access to Administrator Assignments page.
The permissions for an administrator assignment define the actions that administrators can take on a particular scope of object instances within the domain type selected. For example, if you select the Role domain as the domain type for an assignment, the permissions determine what actions the administrators can take on the set of role instances selected as the scope for the assignment. These permissions might specify, for the selected scope of roles, that administrators can perform actions such as assigning roles to users, viewing role assignments, and deleting on role assignments.
IMPORTANT:Compliance, Configuration, and Reports domain types are discontinued from Identity Manager 4.7.1. This change does not remove the existing assignments that have been previously made to these domain types. However, you cannot edit those assignments.
The Reports domain type is deprecated with this release. You must use the Identity Reporting functionality to manage Identity Manager reports. This requires you to assign Reporting Administrator role to any users that you want to access the reporting functionality. You can assign this role to a user in one of the following ways within the identity applications:
By requesting Reporting Administrator role using the Request page. See, Requesting Permissions in NetIQ Identity Manager - User’s Guide to the Identity Applications.
By selecting Reporting Administrator role and assigning to a user in the Roles page. See, Assigning Roles to Users.
You can search for administrator assignments by specifying the username. You can also filter the assignments by User, Group, Container, or Role categories.
You can create an administrator assignment for a user, group, container, or role type. Perform the following steps to create a new administrator assignment:
Click .
Specify the Initial Request Description that describes the purpose of this assignment.
Select the Domain Type from the list.
Domain |
Description |
---|---|
Provisioning |
This domain defines the rights to launch and retract process requests, manage addressee tasks, and configure delegate, proxy, and availability settings. |
Role |
This domain defines the rights to manage roles and SoDs, assign, revoke, and report on roles, as well as rights to configure role settings. |
Resource |
This domain defines the rights to manage resources, assign, revoke, and report on resources, as well as rights to configure resource settings and bind entitlements. |
Security |
This domain defines the rights to manage Identity Applications security, such as assign and revoke domain administrators and managers. This also provides the right to configure teams. |
Select the Assignment Type for which you want to create an assignment.
This displays the list of users, groups, container, or roles based on the selected assignment type.
Select the required user, group, container or a role on from the provided list to create an assignment.
(Conditional) Specify the Effective Date for this assignment. If you do not specify any date, creates an assignment immediately.
(Conditional) Specify the Expiration Date for this assignment. If you do not specify any date, the expiration date is set to never.
(Conditional) To create a domain administrator assignment for the selected domain, enable All Permissions.
NOTE:This option cannot be edited after creating the assignment. For a delegated administrator, you can assign permissions individually. See, Assigning Permissions to a Delegated Administrator.
If this option is disabled, a delegated administrator is created for the selected domain.
Click Create.
A delegated administrator has the ability to perform selected operations for a subset of authorized objects within the domain for all users. For more information about different types of users, see Types of User Categories in Identity Applications.
The permissions are displayed for an assignment based on the domain type of the assignment. For more information, see Step 3 in Creating a New Administrator Assignment.
To assign permissions for the assignment, you should select the required permissions from the categories. Following sections explain the permissions associated with the Identity Applications domain types:
This domain type consists of the permissions that are related to Provisioning Request Definitions (PRD) and User Application Driver.
Category |
Permission |
---|---|
Provisioning Request Definition Permissions |
This category allows you to assign any of the following permissions for the selected Provisioning Request Definition to a delegated administrator:
|
User Application Driver Permissions |
This category allows you to assign the Configure Proxy permission to the delegated administrator. This permission allows the user to configure proxy assignments for the provisioning requests. |
This domain type consists the permissions related to roles, Separation of Duties, and configuration of role settings.
Category |
Permission |
---|---|
Role Permissions |
This category allows you to assign any of the following permissions for the selected Role Level or Roles to a delegated administrator:
|
Separation of Duties Permissions |
This category allows you to assign any of the following permissions for the selected SoDs to the delegated administrator:
|
Configuration Permissions |
This category allows you to assign the Configure Role Settings permission to the delegated administrator. This permission allows the user to configure the settings of the roles subsystem. |
This domain type consists the permissions related to resources, entitlements, and configuration of resource settings
Category |
Permission |
---|---|
Resource Permissions |
This category allows you to assign any of the following permissions for the delegated administrator:
If you want to provide access only for the specific container or resources. You can select Resource Sub Container or Select Resources and assign the required permissions for the administrator. |
Entitlements Permissions |
This category allows you to assign the Bind Entitlement permissions to the delegated administrator. This permission allows the user to bind entitlements with a resource for the selected drivers. |
Configuration Permissions |
This category allows you to assign the Configure Resource Settings permission to the delegated administrator. This permission allows the user to configure the settings of the resource subsystem. |
When you select this domain type all permissions are provided. Therefore, the assignments that belong to this domain type will have All permissions enabled at the time of assignment creation.
You can delete one or more assignments from the Administrator Assignments page. To delete multiple assignments, select multiple check boxes against the required assignments.