Securing Access Manager

[terry_stjean]

If someone has Access Manager Admin installed on their PC, is there anyway to restrict what they can do in Access Manager. For example, only mantain certain users in a group.
Also, does a user have to be part of Root User Class to be able to use Access Manager or can they belong to any group as long as they have an account in Access Manager.

Terry

[COGNOiSe administrator]

They can belong to a UC different than Root UC and administer all users in that particular UC. Check documentation on the subject of delegation.

[SomeClown]

The way I've seen it work to get close to Sarbox compliance is to do the following:

Root Userclass
   Security Admin Userclass
        App Admin1 UC
             App 1 UCs
        App Admin 2 UC
             App 2 UCs
etc, etc,

UCs browse/delegate down (can't see all).  Gave all Admin UCs rights to see all Users so that one user could be assigned to multiple apps.    App Admin UCs can create their own UCs under their branch but not someone else's

Security Admin is dedicated security group that doesn't administer apps, only userids, etc.  Not 100% SOX but close enough for many companies.

Careful on some of the settings on UC delegation permissions.  It's possible to reset an entire branch when you don't mean to.