CA SSO Administrator Rights

Article Id: 33210
Status: Published
Updated On: 14-02-2018 08:21
Legacy Id: TEC1719195
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On
Issue/Introduction:

PROBLEM:

The CA SSO (Single Sign-On) Administrator Permissions are represented in the Policy Store as an integer value, calculated from a bit map.  This can be seen in XPSExplorer, a Policy Store export file generated from 'xpsexport', as well as looking directly at the Administrator object in either an LDAP or ODBC Policy Store.

 

[XPSExplorer]

=========================================================================

------------------------- Object Meta Data ------------------------
XID: CA.SM::[email protected]

------------------- Attributes from CA.SM::Admin ------------------
    Name                            = "siteminder2"
    Password                        = <***>
    Rights                          = 63(0x3f): ManageAllDomains,ManageObjects,ManageUsers,ManageSecurity,CacheManager,RegisterTrustedHosts

=========================================================================

 

[XPSExport]

=========================================================================

<Object Class="CA.SM::Admin" Xid="CA.SM::[email protected]" CreatedDateTime="2015-04-14T14:16:13" ModifiedDateTime="2015-04-14T14:16:13" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">
            <Property Name="CA.SM::Admin.DirectoryAuth">
                <BooleanValue>false</BooleanValue>
            </Property>
            <Property Name="CA.SM::Admin.Rights">
                <NumberValue>63</NumberValue>
            </Property>
            <Property Name="CA.SM::Admin.Password" Sensitive="Yes">
                <StringValue>Firewall1</StringValue>
            </Property>
            <Property Name="CA.SM::Admin.Name">
                <StringValue>siteminder2</StringValue>
            </Property>
</Object><!-- Xid="CA.SM::[email protected]" -->

=========================================================================

[ODBC Policy Store]

 

adminoidadminnameadmindescpassworduserdirectoryoidrootprivsschemeoiddirauthrights
12-51b66ac5-7ee0-4656-9a6e-f90686b9e404siteminder2 {RC2}5fUq2teI4gbpxpQ1OzDtOJHX0NP3KJbM00-000-063

 

SOLUTION:

SMRights

RightHexDecimal
ManageAllDomains0x011
ManageObjects0x022
ManageUSers0x044
AdminRightsManageKeys0x088
Admin RightsManagePasswordPolicy 0x088
AdminsRightsManageReports0x1016
ManageSecurity0x2032

The SMRights are calculated using the bitmap.   SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).  The SMRights is the sum of all rights from the SMRights table.  All rights is a 'SuperUSer'.  It is easiest to take the Administrators right, and then subtract the next lowest number.  The Administrator has that right.  Then take the difference and subtract from the next lowest value on the SMRights chart again.  The final result will always be zero (0).

Example:

SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).

(63 -32)= 31

(31-16) = 15

(15- 8) = 7

(7 - 4) = 3

(3-2)= 1

(1-1)=0

Environment:

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component: