Delegated administrators for policy containers have sufficient rights to implement a cross-site scripting attack using the Deny Message in an Access Gateway Authorization policy.
They can also access the configuration datastore with an LDAP browser. Modifications done with an LDAP browser are not logged by Access Manager.
To keep a track of delegated administrators activities, you can configure eDirectory to audit the events that come from LDAP connections to the LDAP server.
For information about how to activate eDirectory auditing for LDAP events, see Activating eDirectory Auditing for LDAP Events
in the NetIQ Access Manager 4.3 Administration Guide.