AppGate SDP allows you to create Admin accounts with granular access controls to limit connections to resources that users are not required to access. Most common use cases are for API accounts used in task automation, and restricted Admin access for other teams that have some responsibility in the system, like a Security Operation Center (SOC).
The roles are configured in the SDP Admin user interface at System > Admin Roles. These roles can then be assigned to an Admin policy that can be assigned to a user. The user can be from an account from an Identity Provider (IDP), or from the local user database, and the role is assigned to the policy received by the user.
Admin roles define the privileges (e.g., editing Policies, deleting Policies, revoking tokens, etc.) that can be performed from the Admin UI. Admin roles are assigned to administrators using Policies in the same way as user . The Admin roles for each administrator are listed in their Entitlement token once they have logged into the Admin UI, and remain valid until the session ends (i.e., until they sign out), the Entitlement token expires, or the Entitlement is renewed (whichever occurs soonest).
The AppGate SDP Admin Guide provides details on how to add Admin users and assign roles.
Configuring Admin Roles
Admin priviledges - Limited Dashboard Access
Access to the SDP Admin Dashboard works slightly differently from other single-function pages, as it contains a number of Target Items. Limiting Dashboard Access means an admin may have only partial access to the information on the Dashboard (e.g., privileges to see user sign-in and on-boarded device information, but not Admin Messages or Appliance information).
Full Dashboard access
For full dashboard access, the following privileges are required:
•<View> privileges on <AdminMessage>
•<CheckStatus> privileges on <Appliance>
•<View> privileges on <SessionInfo>
•<View> privileges on <TokenRecord> (for user-sign-ins)
•<View> privileges on <RegisteredDevice>
•<View> privileges on <User License>