Siteminder Administrator Rights
search cancel

Siteminder Administrator Rights

book

Article ID: 33210

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

The Symantec Siteminder Administrator Permissions are represented in the Policy Store as an integer value, calculated from a bit map.  This can be seen in XPSExplorer, a Policy Store export file generated from 'xpsexport', as well as looking directly at the Administrator object in either an LDAP or ODBC Policy Store.

 

 

 

Environment

PRODUCT: Siteminder

COMPONENT: Policy Server

VERSION: Any

OPERATING SYSTEM: Any

Cause

[XPSExplorer]

=========================================================================

------------------------- Object Meta Data ------------------------
XID: CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404

------------------- Attributes from CA.SM::Admin ------------------
    Name                            = "siteminder2"
    Password                        = <***>
    Rights                          = 63(0x3f): ManageAllDomains,ManageObjects,ManageUsers,ManageSecurity,CacheManager,RegisterTrustedHosts

=========================================================================

 

[XPSExport]

=========================================================================

<Object Class="CA.SM::Admin" Xid="CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404" CreatedDateTime="2015-04-14T14:16:13" ModifiedDateTime="2015-04-14T14:16:13" UpdatedBy="{siteminder_Admin}" UpdateMethod="GUI" ExportType="Replace">
            <Property Name="CA.SM::Admin.DirectoryAuth">
                <BooleanValue>false</BooleanValue>
            </Property>
            <Property Name="CA.SM::Admin.Rights">
                <NumberValue>63</NumberValue>
            </Property>
            <Property Name="CA.SM::Admin.Password" Sensitive="Yes">
                <StringValue>{Admin_Name}</StringValue>
            </Property>
            <Property Name="CA.SM::Admin.Name">
                <StringValue>{Admin_Password}</StringValue>
            </Property>
</Object><!-- Xid="CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404" -->

=========================================================================

[ODBC Policy Store]

 

adminoid adminname admindesc password userdirectoryoid rootprivs schemeoid dirauth rights
12-51b66ac5-7ee0-4656-9a6e-f90686b9e404 {Admin_Name}   {RC2}################# 00- 0 00- 0 63

Resolution

SMRights

Right Hex Decimal
ManageAllDomains 0x01 1
ManageObjects 0x02 2
ManageUSers 0x04 4
AdminRightsManageKeys 0x08 8
Admin RightsManagePasswordPolicy  0x08 8
AdminsRightsManageReports 0x10 16
ManageSecurity 0x20 32

 

The SMRights are calculated using the bitmap.   SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).  The SMRights is the sum of all rights from the SMRights table.  All rights is a 'SuperUSer'.  It is easiest to take the Administrators right, and then subtract the next lowest number.  The Administrator has that right.  Then take the difference and subtract from the next lowest value on the SMRights chart again.  The final result will always be zero (0).

Example:

SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).

(63 -32)= 31

(31-16) = 15

(15- 8) = 7

(7 - 4) = 3

(3-2)= 1

(1-1)=0

Powered by Wolken Software