Administrator and Group Administrator
The security.manager Administrator application is used to manage users and policies.
It is necessary to sign in to the system to access the Administrator application. The security.manager contains two types of administrators:
-
Administrators with rights that apply to all groups
-
Group administrators with restricted rights scoped to their own group
Administrators that are able to manage all groups are called "super-administrators". The corresponding role is sM_Administrator. Users who have been assigned to this role can manage the data (users, policies, groups, roles) for all groups via the security.manager Administrator.
A group administrator has restricted rights, limited to users and roles belonging to their own group.
The corresponding role is sM_GroupAdministrator.
A group administrator is only able to see and manage the users of their own group.
Whenever they creates new users, they become members of their group.
A group administrator is allowed to create and delete roles for their own group.
Such roles are identified by the @<groupname>@
prefix.
A group administrator can use these roles within policies.
During installation a default super user is created with name smadmin. The password is chosen during the installation procedure. All users assigned to the role sM_Administrator are authorized to use the Administrator application without restrictions.
Restrictions for group administrators
After they have signed in to the security.manager Administrator application, group administrators can create new users for their group.
It is not possible to assign that user to another group.
A group administrator can only create and view roles that belong to her own group.
Such groups are tagged with a Only a super administrator can reassign an existing user to another group. Basically, a group administrator can only view data of users belonging to her own group. All other users are hidden from her. |