Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating and Configuring Secure Access Device Administrator Roles (NSM Procedure)

    An administrator role specifies Secure Access device management functions and session properties for administrators who map to the role. You can customize an administrator role by selecting the Secure Access device feature sets and user roles that members of the administrator role are allowed to view and manage. You can create and configure administrator roles through the Delegated Admin Roles page.

    Note: To create individual administrator accounts, you must add the users through the appropriate authentication server (not the role). For example, to create an individual administrator account, you may use settings in the Authentication > Auth. Servers > Administrators > Users page of the admin console.

    To create an administrator role:

    1. In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure administrator role.
    2. Click the Configuration tree tab, and select Administrators > Admin Roles.
    3. Click the New button and the New dialog box appears.
    4. Click General > Overview to add or modify settings as specified in Table 1.
    5. Click one:
      • OK—Saves the changes.
      • Cancel—Cancels the modifications.

    Table 1: Administrator Role Configuration Details

    Option

    Function

    Your Action

    General > Overview tab

    Name

    Specifies a unique name for the administrator role.

    Enter a name.

    Description

    Describes the administrator role.

    Enter a brief description for the administrator role.

    Session Options

    Specifies the maximum session length, roaming capabilities, and session persistence.

    Select General > Session Options to apply the settings to the role.

    UI Options

    Specifies customized settings for the Secure Access device welcome page for Odyssey Access Client users mapped to this role.

    Select General > UI Options to apply the settings to the role.

    Delegated Users Settings > Roles > Delegate User Roles

    Administrators can manage ALL roles

    Specifies whether the administrator can manage all roles.

    Select the user roles in the Non-members list and click Add if you only want to allow the administrator role to manage selected user roles

    Access

    Specifies which user role pages the delegated administrator can manage.

    Select an access option from the drop-down list.

    • Select Write All to specify that members of the administrator role can modify all user role pages.
    • Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user role pages.
    Delegated Users Settings > Roles > Delegate As Read-Only Role

    Administrator can view (but not modify) ALL roles

    Allows the administrator to view the user roles, but not manage.

    Select the user role that you want to allow the administrator to view.

    Note: If you specify both write access and read-only access for a feature, the Secure Access device grants the most permissive access.

    Delegated Users Settings > Realms > Delegate User Realms

    Administrator can manage ALL realms

    Specifies whether the administrator can manage all user authentication realms.

    Select the user realm. If you only want to allow the administrator role to manage selected realms, select those realms in the Members list and click Add.

    Access

    Specifies which user authentication realms pages that the delegated administrator can manage.

    Select an access option from drop-down list.

    • Select Write All to specify that members of the administrator role can modify all user authentication realm pages.
    • Select Custom Settings to allow you to pick and choose administrator privileges (Deny, Read, or Write) for the individual user authentication realm pages.
    Delegated Users Settings > Realms > Delegate As Read-Only Realms

    Administrator can view (but not modify) ALL realms

    Allows the administrator to view the user authentication realms, but not modify.

    Select the user authentication realms that you want to allow the administrator to view.

    Note: If you specify both write access and read-only access for an authentication realm page, the Secure Access device grants the most permissive access.

    Delegated Administrator Settings > Management of Admin roles

    Manage ALL admin roles

    Manages all admin roles.

    Select Delegated Administrator Settings > Management of Admin roles > Manage ALL admin rolesto manage all the admin roles.

    Allow Add/Delete admin roles

    Allows the security administrator to create administrator roles, even if the security administrator is not part of the Administrators role.

    Note: This option appears only when you enable the Manage All admin roles option.

    Select to allow the security administrator to add and delete admin roles.

    Access

    Indicates the level of access that you want to allow the security administrator role to set for system administrators.

    Note: This option appears only when you enable the Manage All admin roles option.

    Select an access option:

    • Deny All—Specifies that members of the security administrator role cannot see or modify any settings in the category.
    • Read All—Specifies that members of the security administrator role can view, but not modify, all settings in the category.
    • Write All—Specifies that members of the security administrator role can modify all settings in the category.
    • Custom Settings—Allows you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.
    Delegated Administrator Settings > Management of Admin realms

    Manage ALL admin realms

    Manages all admin realms.

    Select Delegated Administrator Settings > Management of Admin realms > Manage ALL admin realms.

    Allow Add/Delete admin realms

    Allows the security administrator to create and delete administrator realms, even if the security administrator is not part of the administrators role.

    Note: This option only appears when you choose to enable the Manage All admin realms.

    Select to allow the security administrator to add and delete admin realms.

    Access

    Indicates the level of realm access that you want to allow the security administrator role to set for system administrators for each major set of admin console pages.

    Note: This option appears only when you enable the Manage All admin realm option.

    Select an access option:

    • Deny All—Specifies that members of the security administrator role cannot see or modify any settings in the category.
    • Read All—Specifies that members of the security administrator role can view, but not modify, all settings in the category.
    • Select Write All—Specifies that members of the security administrator role can modify all settings in the category.
    • Select Custom Settings—Allows you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.
    Delegated Resource Policies > All tab

    Access

    Indicates the level of access that you want to allow the administrator role for each Resource Policies submenu.

    Select an access option:

    • Deny All—Specifies that members of the administrator role cannot see or modify any resource policies.
    • Read All—Specifies that members of the administrator role can view, but not modify, all resource policies.
    • Write All—Specifies that members of the administrator role can modify all resource policies.
    • Custom Settings—Allows you to pick and choose administrator privileges (Deny, Read, or Write) for each type of resource policy or for individual resource policies.

      Note: The Web, File, SAM, Telnet SSH, Terminal Services, Network Connect, and Email Client tabs are enabled only when you select Custom Settings from the drop down list.

    Delegated Resource Policies > Web > File > SAM > Telnet SSH > Terminal Services > Network Connect

    Access

    Allows you to pick and choose administrator privileges for each type of resource policy.

    Select Deny or Read or Write access level for the type of resource.

    Additional Access Policies

    Allows you to specify access level to individual policy (For example, if you want to control access to a resource policy that controls access to www.google.com)

    Select a resource policy.

    Access

    Allows you to pick and choose administrator privileges for each individual resource policy.

    Select Read or Write access level for the policy.

    Delegated Resource Policies > Email Client

    Access

    Allows you to pick and choose administrator privileges (Deny, Read, or Write) for the policy.

    Select Deny or Read or Write access level for the.

    Delegated Resource Profiles > All tab

    Access

    Indicate the level of access that you want to allow the administrator role for each Resource Profiles.

    Select an access option:

    • Deny All—Specifies that members of the security administrator role cannot see or modify any settings in the category.
    • Read All—Specifies that members of the security administrator role can view, but not modify, all settings in the category.
    • Write All—Specifies that members of the security administrator role can modify all settings in the category.
    • Custom Settings—Allows you to pick and choose security administrator privileges (Deny, Read, or Write) for the individual features within the category.

    Note: The Web, File, SAM, Telnet SSH, and Terminal Services tabs are enabled only when you select Custom Settings from the drop down list.

    Delegated Resource Profiles > Web > File > SAM > Telnet SSH > Terminal Services

    Access

    Allows you to pick and choose administrator privileges for each type of resource profiles.

    Select Deny or Read or Write access level for the type of resource.

    Additional Access Profiles

    Allows you to specify access level to individual profiles (For example, if you want to control access to a resource profiles that controls access to www.google.com).

    Select the resource profile for which you want to provide a custom access level, and click Add.

    Access

    Allows you to pick and choose administrator privileges (Deny, Read, or Write) for the profiles.

    Select Read or Write access level for the profiles.

    Published: 2013-01-03