If we are protecting Admin UI using siteminder and allowing access to users present in user store instead of policy store(legacy user).
Can we configure it in such a way that we can add user-groups instead of adding individual users as Administrators?
The protect of WAMUI with Siteminder is similar to what you configured to protect normal application. You can specified the group under the user policy.
For example, in my case, I provide access to user group with ou=support
Can we add groups in Administrator list for AdminUI access(like Report extraction access to be given only to L1 support group or so)?
Or the workaround will be to add individual users as administrators and then give access to a group using policy which will have those users as members?
Your workaround is correct. I suggest creating an idea on this community site so others can vote for the potential enhancement request.
But this workaround is a tedious and repetitive activity in case we need to give access to a group having 100-200 users, we need to manually add them as administrators. In this case, defining them as a group in domain policy will not provide any help as administrators by default have an access to admin ui.
Do you have a use case that can explain better? This will help us better understand the requirement.
We have the below requirement from the client:
Access to SiteMinder AdminUI to be provided to a monitoring/helpdesk team so that they can extract audit and analysis reports for analyzing the number of users accessing a web application or number of authorized and un-authorized access to a particular resource, etc.
Other than this, there should be a group of siteminder administrators who have complete access to AdminUI.
Now, adding such users separately in administrator tab is a tedious job as we have 10-15 members in monitoring team as of now(which will increase with time). Thus, we want to add a particular group in administrator tab which can be provided access to reports. then this group can be managed at IM level to add various users in one go.
Let me know if more information is required from my end.
Thanks in advance!
Please check this Idea Assign a Group as superuser in SM matches your requirement.
For WAMUI, there is no way to define Administrator in "group" format. You need to configure the administartor individually as the WAMUI has no option to select group for time being. The enhancement request pointed out by Leo is something will help if get implemented in future.
Protect WAMUI with SSO will not help in this case
as you still need to configure each user from user store at WAMUI -> Administration -> Administrator part.
Bear with CA SSO till the enhancement request implement to make your life easier.
Yeah Kar, Already voted for the idea shared by Leo.
Thanks a lot!