CA SSO Administrator Rights

Document ID : KB000033210
Last Modified Date : 14/02/2018
Show Technical Document Details

PROBLEM:

The CA SSO (Single Sign-On) Administrator Permissions are represented in the Policy Store as an integer value, calculated from a bit map.  This can be seen in XPSExplorer, a Policy Store export file generated from 'xpsexport', as well as looking directly at the Administrator object in either an LDAP or ODBC Policy Store.

 

[XPSExplorer]

=========================================================================

------------------------- Object Meta Data ------------------------
XID: CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404

------------------- Attributes from CA.SM::Admin ------------------
    Name                            = "siteminder2"
    Password                        = <***>
    Rights                          = 63(0x3f): ManageAllDomains,ManageObjects,ManageUsers,ManageSecurity,CacheManager,RegisterTrustedHosts

=========================================================================

 

[XPSExport]

=========================================================================

<Object Class="CA.SM::Admin" Xid="CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404" CreatedDateTime="2015-04-14T14:16:13" ModifiedDateTime="2015-04-14T14:16:13" UpdatedBy="siteminder" UpdateMethod="GUI" ExportType="Replace">
            <Property Name="CA.SM::Admin.DirectoryAuth">
                <BooleanValue>false</BooleanValue>
            </Property>
            <Property Name="CA.SM::Admin.Rights">
                <NumberValue>63</NumberValue>
            </Property>
            <Property Name="CA.SM::Admin.Password" Sensitive="Yes">
                <StringValue>Firewall1</StringValue>
            </Property>
            <Property Name="CA.SM::Admin.Name">
                <StringValue>siteminder2</StringValue>
            </Property>
</Object><!-- Xid="CA.SM::Admin@12-51b66ac5-7ee0-4656-9a6e-f90686b9e404" -->

=========================================================================

[ODBC Policy Store]

 

adminoidadminnameadmindescpassworduserdirectoryoidrootprivsschemeoiddirauthrights
12-51b66ac5-7ee0-4656-9a6e-f90686b9e404siteminder2 {RC2}5fUq2teI4gbpxpQ1OzDtOJHX0NP3KJbM00-000-063

 

SOLUTION:

SMRights

RightHexDecimal
ManageAllDomains0x011
ManageObjects0x022
ManageUSers0x044
AdminRightsManageKeys0x088
Admin RightsManagePasswordPolicy 0x088
AdminsRightsManageReports0x1016
ManageSecurity0x2032

The SMRights are calculated using the bitmap.   SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).  The SMRights is the sum of all rights from the SMRights table.  All rights is a 'SuperUSer'.  It is easiest to take the Administrators right, and then subtract the next lowest number.  The Administrator has that right.  Then take the difference and subtract from the next lowest value on the SMRights chart again.  The final result will always be zero (0).

Example:

SMRights = 63 = (32 + 16 + 8 + 4 + 2 +1).

(63 -32)= 31

(31-16) = 15

(15- 8) = 7

(7 - 4) = 3

(3-2)= 1

(1-1)=0