Operators and roles
A role defines what an operator can do through the STA consoles. It reflects the account's business objectives, security requirements, operational hierarchy, and workflow.
A role is a combination of the tabs, modules, and actions that are appropriate for the position. This high degree of granularity enables you to customize the security for each virtual server and role according to the account's operational requirements.
The operator role is always assigned to the user who is promoted to operator on the Operators tab. If a different role is required, create the user on the Assignment tab, promote the user to operator status from the Operators tab, and select an appropriate role.
Roles are specific to the virtual server in which they are configured. The operator role grants unrestricted rights to manage the virtual server.
Role permissions
All permissions are set at the account level. As a result, an operator can have different permission levels for different accounts.
Some features may not be available in your service zone.
Where access to modules is allowed, you can restrict the actions within a module through permissions, for example:
-
To remove a role's ability to assign a token, deselect the Add check box in the Assignment section > Tokens row.
-
To remove a role's ability to provision a token, deselect the Access check box in the Assignment section > Provisioning row.
-
To remove a role's access to the Operator tab and all of its modules, deselect the Operators check box in the Operators* section.
Add or edit a role
Existing roles are displayed in the roles list. All roles except the default operator role can be edited or removed. The role access options include a check box for each tab, and for the modules and actions on the tabs. Clearing a check box removes the tab, module, or action from the role.
After you configure roles, you can assign them. You can also automate role provisioning
-
On the STA Token Management console, select Policy > Role Management and then click the Role Management task.
-
To add a role, click Add.
(Optionally) To edit an existing role, click the Edit hyperlink.
(Optionally) To add a role that is similar to an existing role, select the existing role name, click Duplicate, and then edit the copy as required.
-
Type the Role Name, and then click Next.
There is a check box for each tab, module, and action that you can set permissions for.
It is a best practice to limit a role with Remote Services access to a specific API user. A user whose role includes Remote Services has full access to the management API, regardless of any other limitations that are imposed on that user.
-
Select the role's access permissions for tabs, modules, and actions:
-
Access—Enables the role to access the module. To limit the role to read-only access, select Access and deselect Edit. If neither Access nor Edit are selected, the module does not display.
-
Edit—Enables the role to access edit functions, even if Access is not selected. If neither Access nor Edit are selected, the module does not display.
-
Delete—Enables the role to access delete or remove functions.
-
Add—Enables the role to access add functions.
-
Import—Enables the role to access import functions.
-
Export—Enables the role to access export functions.
-
View Log—Enables the role to access the View Log function.
-
-
Click Save to commit the role configuration.
After you add a role, you can assign it to operators or create provision roles automatically.