|
Admin Role > General
tab
|
|
Name
|
Specifies a unique name for the administrator role.
|
Enter a name.
|
|
Admin Role > General
> Overview tab
|
|
Description
|
Describes the administrator role.
|
Enter a brief description for the administrator role.
|
|
Session Options
|
Specifies the maximum session length, roaming capabilities,
and session persistence.
|
Select General > Session
Options to apply the settings to the role.
|
|
UI Options
|
Specifies the logo, color, navigation menus and the copyright
notice.
|
Select General > UI Options to apply the settings to the role.
|
|
Admin Role > General
> Restrictions > Source IP Restrictions tab
|
|
Allow
|
Specifies from which IP addresses users can access an
Infranet Controller sign-in page, be mapped to a role, or access a
resource.
|
- Select Users from any IP address to
enable users to sign into the Infranet Controller from any IP address
in order to satisfy the access management requirement.
- Select Users from IP addresses which pass the
specifies matching policies to allow you to specify user
access to the listed IP addresses.
|
|
Source IP Address
|
Specifies the source IP addresses.
|
Enter the IP address.
|
|
Source IP Netmask
|
Specifies the IP netmask.
|
Enter the IP netmask.
|
|
Access
|
Specifies whether to allow or deny access.
|
- Select Allow to allow the user to
use the IP.
- Select Deny to prevent users from
using the IP.
|
|
Admin Role > General
> Restrictions > Browser Restrictions tab
|
|
Allow
|
Specifies from which web browsers users can access an
Infranet Controller sign-in page or be mapped to a role.
|
- Select Browsers with any user-agent to allow users to access the Infranet Controller or resources using
any of the supported Web browsers.
- Select Browsers whose user-agent pass the matching
policies defined below to allow you to define browser access
control rules.
|
|
User agent pattern
|
Specifies the format.
|
Enter a string in the format
*<browser_string>*
where start (*) is an optional character used to match any character
and <browser_string>is a case-sensitive pattern that must match
a substring in the user-agent header sent by the browser.
Note:
You cannot include escape characters (\) in browser restrictions.
|
|
Action
|
Specifies whether to allow or deny access.
|
- Select Allow access to allow users
to use a browser that has a user-agent header containing the<browser_string>
substring.
- Select Deny access to prevent users
from using a browser that has a user-agent header containing the <browser_string>
substring.
|
|
Admin Role > General
> Restrictions >Certificate Restrictions tab
|
|
Allow
|
Restricts Infranet Controller and resource access by
requiring client-side certificates
|
- Select All users to allow users to
access the Infranet Controller or resources from any machine.
- Select Users with a trusted client certificate to allow users to access the Infranet Controller from a machine
with a trusted client certificate.
|
|
Certificate Field
|
Specifies the certificate field.
|
Enter the certificate field.
|
|
Expected Value
|
Specifies the expected value.
|
Enter the expected value.
|
|
Admin Role > General
> Restrictions >Host Checker Restrictions tab
|
|
Enforce
|
Specifies the Host Checker policy at the role level.
|
- Select Allow all users to restrict
Host Checker to be installed in order for the user to meet the access
requirement.
- Select Allow users whose workstations meet the
requirements specified by the Host Checker policies to
requires that Host Checker is running the specified Host Checker policies
in order for the user to meet the access requirement.
|
|
Host Checker policies
|
Specifies the Host Checker policies.
|
Select the required Host Checker policies.
|
|
Allow access to the role if
|
Specifies access to the role
|
- Select All of the selected policies pass to allow access only if all the policy requirements are met.
- Select Any ONE of the selected policies pass to allow access even if one policy requirement is met.
|
| Admin
Role > General > Users > Roles > Delegate User Roles |
|
Administrators can manage ALL roles
|
Specifies whether the administrator can manage all roles
|
Select the user roles. If you only want to allow the
administrator role to manage selected user roles, select those roles
in the Non-members list and click Add to move
it to the Members list.
|
|
Access
|
Specifies which user role pages the delegated administrator
can manage.
|
- Select Write All to specify that
members of the administrator role can modify all user role pages.
- Select Custom Settings to allow you
to pick and choose administrator privileges (Deny, Read, or Write)
for the individual user role pages.
|
| Admin
Role > General > Users > Role > Delegate As Read-Only Role |
|
Administrator can view (but not modify) ALL roles
|
Allows the administrator to view the user roles, but
not manage.
|
Select the user role that you want to allow the administrator
to view.
Note:
If you specify both write access and read-only access
for a feature, the Infranet Controller grants the most permissive
access. For example, if you select the Administrators can
manage ALL roles check box under Delegate User Roles,
and then select the Users role on the Delegate As Read-Only Roles
page, then the Infranet Controller allows the delegated administrator
role full management privileges to the Users role.
|
| Admin
Role > General > Users > Realms > Delegate User Realms |
|
Administrators can manage ALL realms
|
Specifies whether the administrator can manage all user
authentication realms
|
Select the user realm. If you only want to allow the
administrator role to manage selected realms, select those realms
from theNon—members list and add to the Members list.
|
|
Access
|
Specifies which user authentication realms pages that
the delegated administrator can manage.
|
- Select Write All to specify that
members of the administrator role can modify all user authentication
realm pages.
- Select Custom Settings to allow you
to pick and choose administrator privileges (Deny, Read, or Write)
for the individual user authentication realm pages.
|
| Admin
Role > General > Users > Realms > Delegate As Read-Only Realms |
|
Administrator can view (but not modify) ALL realms
|
Allows the administrator to view the user authentication
realms, but not modify.
|
Select the user authentication realms that you want to
allow the administrator to view.
Note:
If you specify both write access and read-only access
for an authentication realm page, the Infranet Controller grants the
most permissive access. For example, if you select the Administrators
can manage ALL realms check box under Delegate User Realms,
and then select the Users role on the Delegate As Read-Only Realms
page, then the Infranet Controller allows the delegated administrator
role full management privileges to the Users realm.
|
| Admin
Role > General > Delegated Administrator Settings > Management of
Admin roles |
|
Manage ALL admin roles
|
Manages all admin roles.
|
Select to manage all the admin roles.
|
|
Allow Add/Delete admin roles
|
Allows the security administrator the ability to create
administrator roles, even if the security administrator is not part
of the Administrators role.
|
Select to allow the security administrator to add and
delete admin roles.
|
|
Access
|
Indicates the level of access that you want to allow
the security administrator role to set for system administrators.
|
- Select Deny All to specify that members
of the security administrator role cannot see or modify any settings
in the category.
- Select Read All to specify that members
of the security administrator role can view, but not modify, all settings
in the category.
- Select Write All to specify that
members of the security administrator role can modify all settings
in the category.
- Select Custom Settings to allow you
to pick and choose security administrator privileges (Deny, Read,
or Write) for the individual features within the category.
|
| Admin
Role > General > Delegated Administrator Settings > Management of
Admin realms |
|
Manage ALL admin realms
|
Manages all admin realms.
|
Select to manage all the admin realms.
|
|
Allow Add/Delete admin realms
|
Allows the security administrator to create and delete
administrator realms, even if the security administrator is not part
of the administrators role.
|
Select to allow the security administrator to add and
delete admin realms.
|
|
Access
|
Indicates the level of realm access that you want to
allow the security administrator role to set for system administrators
for each major set of admin console pages.
|
- Select Deny All to specify that
members of the security administrator role cannot see or modify any
settings in the category.
- Select Read All to specify that
members of the security administrator role can view, but not modify,
all settings in the category.
- Select Write All to specify that
members of the security administrator role can modify all settings
in the category.
- Select Custom Settings to allow you
to pick and choose security administrator privileges (Deny, Read,
or Write) for the individual features within the category.
Note:
All administrators that can manage admin roles and realms
have at least read-only access to the admin role’s Name and
Description and to the realm's Name and Description, as displayed
on the General page.
|
| Admin
Role > General > Delegated Resource Policies > All tab |
|
Access
|
Indicates the level of access that you want to allow
the administrator role for each Resource Policies submenu.
|
- Select Deny All to specify that members
of the administrator role cannot see or modify any resource policies.
- Select Read All to specify that members
of the administrator role can view, but not modify, all resource policies.
- Select Write All to specify that
members of the administrator role can modify all resource policies.
- Select Custom Settings to allow
you to pick and choose administrator privileges (Deny, Read, or
Write) for each type of resource policy or for individual resource
policies.
|
| Admin
Role > General > Delegated Resource Policies > Custom Settings |
|
Additional Access Policies
|
Sets custom access levels for an individual policy
|
Select the access level for the policy (Deny, Read, or
Write).
|
|
Policies
|
Provides custom access level.
|
Select the resource policy for which you want to provide
a custom access level, and click Add.
|
|
Default Options
for Delegated Admins > Session Options tab
|
|
Idle Timeout (minutes)
|
Specifies the number of minutes an administrator session
may remain idle before ending. The minimum is 5 minutes. The default
idle session limit is ten minutes, which means that if an administrator’s
session is inactive for ten minutes, the Infranet Controller ends
the session and logs the event in the system log (unless you enable
session timeout warnings described below).
|
Enter the idle timeout duration in minutes.
|
|
Max. Session Length (minutes)
|
Specifies the number of minutes an active administrator
session may remain open before ending. The minimum is 6 minutes. The
default time limit for an administrator session is sixty minutes,
after which the Infranet Controller ends the session and logs the
event in the system log.
|
Enter the session length in minutes. The default is 300
seconds, and the minimum is six minutes.
|
|
Roaming session
|
Roaming sessions allow users to work across source IP
addresses. This is useful for mobile users with dynamically assigned
IP addresses, as it allows them to sign in from their desk and continue
working.
|
- Select Enabled to enable roaming
user sessions for users mapped to this group. A roaming user session
works across source IP addresses, which allows mobile administrators
(laptop users) with dynamic IP addresses to sign in to the Infranet
Controller from one location and continue working from another. Disable
this feature to prevent users from accessing a previously established
session from a new source IP address. This helps protect against an
attack spoofing a user’s session, provided the hacker was able
to obtain a valid user's session cookie.
- Select Limit to subnet to limit the
roaming session to the local subnet specified in the Netmask field.
Administrators may sign in from one IP address and continue using
their sessions with another IP address as long as the new IP address
is within the same subnet.
- Select Disabled to disable roaming
sessions for administrators mapped to this role. Administrators who
sign in from one IP address may not continue an active Infranet Controller
session from another IP address; administrator sessions are tied to
the initial source IP address.
|
|
Default Options
for Delegated Admins >UI Options tab
|
|
Logo image
|
Displays the logo in the Current appearance box only
after you save your changes.
|
Click the Browse button and locate your custom image
file.
|
|
Background color
|
Updates the current appearance of the box.
|
Type the hexadecimal number for the background color
or click the Color Palette icon and pick the desired color.
|
|
Navigation Menus
|
Displays hierarchical navigation menus.
|
- Select Auto-enabled to determine
whether the administrator is signed in from a supported platform and
enables or disables the hierarchical menus accordingly.
- Select Enabled to enable hierarchical
menus, regardless of your platform. If the administrator is signed
in from an unsupported platform, they may not be able to use the hierarchical
menus, even though they are enabled.
- Select Disabled to disable hierarchical
menus for all members of the role.
|
|
Show copyright notice in footer
|
Specifies the copyright notice and label in the footer.
|
Select or clear the check box (optional).
Note:
If you do not want user roles to see the copyright notice,
you can also deselect the option in the Default Settings for user
roles, in general. That way, all subsequent roles you create do not
allow the notice to appear on the end-user UI.
|
