SiteMinder WorkSpace access to Child-level Objects for other types of Scoped Administrators

Discussion created by SG_WCB on Oct 1, 2015
Latest reply on Oct 1, 2015 by kristen.palazzolo

Description & Error Message: We have several applications protected in SiteMinder. With each application having its own defined domain. Each policy domain for each application has a policy called POLICY_APPName_OUTAGE that allows us, when enabled, to redirect  external clients to an outage page when our developers are performing application maintenance tasks (I.e. upgrading applications).


There's a group in our organization that I would like to have the ability to access ONLY the outage policy. I only want them to enable and disable the policy. I don't want them to access the other areas of the Policy Domain of each application i.e. anything in the General, Realms, Reponses, Rule Groups and or Variables tab.


I tried to create a workspace and associate a scoped user to the workspace. But the workspace only allows me to select the entire Policy Domain for each Application as available and or read-only.  This would give the user access to the entire apps configuration in Siteminder.


Because we foresee there may be different roles logging onto the Siteminder Admin UI to perform different tasks, there may be a need to gain access to child-level objects when creating a workspace to assign to a scoped administrator.


From the Siteminder documentation it mentions, "A workspace defines a subset of CA SiteMinder® policy data that can be used to limit the scope of an administrator to which it is assigned.

Note: A scoped administrator can only manage the top-level objects (and their children) that are defined in the assigned workspace, regardless of their privileges. Add all top-level objects that you want the scoped administrator to be able to manage."



In future releases, will Siteminder have the ability to get more granular, so only the user has access to child objects like the outage policy defined within each Application Policy Domain. It would be a benefit.