Access Level for Administrator Creation

Article Id: 7569
Status: Published
Updated On: 14-02-2018 08:18
Legacy Id: TEC1845181
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On
Issue/Introduction:

Looking for additional details on setting administrators in the adminui – specifically the XPS tools

Reference version R12.52 SP1 CR 5

XPS Tools: (only allow access to use the tool – no other rights or permission)

GUI Allowed 
Reports Allowed 
Local API Allowed 
Report API Allowed 
Import Allowed 
Export Allowed

XPSEvaluate Allowed      

XPSConfig Allowed          

XPSExplorer Allowed       

XPSSecurity Allowed       

XPSRegClient Allowed    

 

 

Cause:

Bug XPSTools.dll as well as unclear documentation

Environment:

Windows Policy server tested

Resolution:

Fix: Issue address in bug ID DE276031 provided dev-fix

 

GA release looks like R2.52 SP1 Cr9, it will also be rolled into R12.6 & R12.7

Documentation has been updated 

Additional Information:

Add User to AdminUI – follow

CA will be releases a fix for this functionality, also need to update documentation

 

Documentation is updated to correctly reflect the XPSTools functionality, namely:Only OS user is supported by XPSTools.

  1. User must exists in the systems
  2. Add OS user to local Administrator group (read-write access rights to $NETE/bin, user is automatically treated as super-user with all the permissions for all the XPS and SSO command tools)

This needs to be done using XPSSecirty (XPSSecurity tool is including in the media (e.i smreg) needs to be copied to <SSO_Home>\bin

Use XPSSecurity to create the admins 

Enter Option (A,S,C,W,B,P or Q): A

Enter Option (#NA or Q): N

Enter Option (# or BGVURAQ): 4

-------------------------------------------------------------------

Attr:  Name [CA.XPS::Administrator.Name]

Description         User's Name

Type:               String

Handling:           none

Character Case:     Mixed

New Value (blank to quit):TestAdmin

Value updated.

 

Enter Option (# or BGVURAQ): 5

-------------------------------------------------------------------

Attr:  UserPath [CA.XPS::Administrator.UserPath]

Description         Connects to the user identity

Type:               String

Handling:           none

Character Case:     Mixed

New Value (blank to quit):OS:lodbl511vm050/TAdmin

 

Value updated.

NOTE Doc bug which defines the user as OD://system_name/username  - using XPSSecurity it needs to be defined as OS:system_name/username (docs have been updated)

If os user does not has have read-write permissions, OR we want to restrict his right to only be allowed to run some tools, OS user MUST be explicitly created using the XPSSecurity tool.

 

The user created by XPSSecurity SHOULD be super-user. If list of tools he can access is not specified, he will be allowed to use all the tools:

02: Flags                           4(0x4): SuperUser

 

03: MethodsAllowed            0(0x0):

To restrict os user rights to be able to use only some tools and not the others,  MethodAllowed should list all the allowed tools, e.g.

02: Flags                           0(0x0):

 

03: MethodsAllowed            65600(0x10040): XPSExplorer, Sweeper