Hi Folks !
When trying to create a dedicated “Administrative Role” for “Radius Clients” administration delegation for a sub-domain, I cannot success in creating such a role. Please find below why.
With this administrative scope chosen :
The “Manage Radius” configuration tick boxes are not present, thus you cannot affect permissions for the role on Radius clients.
When trying to create a Radius Client, with the user with the configured role affected, you even don’t have the “Add New” button in the top menu :
When adding a the tick on the top “SystemDomain” to the created Administrative Role:
Now, the “Manage Radius” configuration tick boxes are present, thus you can affect permissions for the role on Radius clients :
Now you have the “Add new” button in the top menu :
And the user with the Administrative Role can create the Radius client :
Next, proceed to the Associated RSA Agent creation :
And now comes the issue...
The user has just created a Radius Client & an associated RSA Agent, but not in its sub-domain, they were both created at top-level (SystemDomain).
In my precise config, as the user only has a delegation for RSA Agent Administration on his sub-domain, he won't be able to create the associated RSA Agent for the Radius client he just created. This sounds like non-sense to me...
I really need to get a clear explanation on this point, because I don't want to have my sub-domain administrators being able to modify the Radius Clients that should be hold in a different Security Domain, and managed by another sub-domain admins. Plus, I need them to be able to create the associated RSA Agent linked to the Radius clients, both in their affected sub-domain.
How can I proceed to have this achieved like it should be, ie ordered and managed in their own Security Sub-Domain ?
Thanks in advance for your clues and/or answers ! :-)
Kind Regards,
David
Hi folks !
After getting in touch with RSA Support Team, it looks like you cannot achieve that task because Radius Clients are created at top-level SystemDomain, and not into a sub-domain.
You can have a look at the idea I submitted and vote for it, as, to my point of view, that option should be possible : Ability to create an Administrative Role to delegate Radius clients administration for a sub-domain (or Radius Clients creation in sub-domain instead of SystemDomain)
Without this configuration option possible, you cannot really build an RBAC matrix for Radius Clients administration delegation.
Kind Regards,
David