|Applies To||RSA ClearTrust 5.5.3|
|Issue||How to configure RSA ClearTrust Roles to span multiple administrative Groups|
Within the RSA ClearTrust Entitlements Manager, a role is created and assigned to a particular administrative group. This role does not span to other administrative groups, and an equivalent role would have to be created and assigned to other administrative groups.
An administrator user that is created is also assigned to a particular administrative group. In the RSA ClearTrust Entitlements Manager, if we change the role of an administrator by changing the value within the associated administrative group, the user is not prompted for authentication.
In the RSA ClearTrust Administrative API, there does not appear to be a way to change the active administrative role for a delegated administrator without doing an authentication to the administrative API.
|Resolution||Create a custom Admin GUI interface. This interface has superadmin privileges, and utilizes the RSA ClearTrust Administrative API to govern the authenticated users capabilities to add, modify, delete, etc. users from the database.|
For instance, user "jwai" logs into the customer Admin GUI interface. "jwai", who only has access to edit users and not to add or delete users, attempts to modify certain user properties. The custom Admin GUI interface which has superadmin privileges checks to see whether or not "jwai" has the capabilities and entitlements to edit users. If so, the admin actions are actually performed via the Administrative API by the custom Admin GUI interface that has superadmin privileges.
If "jwai" then attempts to add or delete users, the custom Admin GUI interface can verify that "jwai" is not entitled to complete these operations and will present "jwai" with some sort of error or redirection page.
|Legacy Article ID||a25884|