The Identity Vault Administrator is a user who has rights to configure the Identity Vault. This is a logical role that can be shared with other administrative user types.
The Identity Vault Administrator needs the following rights:
Supervisor rights to the User Application driver and all the objects it contains. You can accomplish this by setting the rights at the driver container level and making them inheritable.
Supervisor Entry rights to any of the users that are defined through the directory abstraction layer user entity definition. This should include Write attribute rights to objectClass and any of the attributes associated with the DirXML-EntitlementRecipient, srvprvEntityAux and srvprvUserAux auxiliary classes.
Supervisor rights to the container object cn=DefaultNotificationCollection, cn=Security. This object persists email server settings used for automated provisioning emails. It can contain SecretStore credentials for authenticating to the email server itself.
Supervisor rights to the container object cn=Authorized Login Methods, cn=Security. During the User Application installation the SAML Assertion object is created in this container.
Ensure that you have supervisor rights to the cn=Security container before you install user application. During the User Application installation, the container cn=RBPMTrustedRootContainer is created under the cn=Security container.
Alternatively, manually create the cn=RBPMTrustedRootContainer,cn=Security container (create an object called Trusted Root Container with object class NDSPKI:Trusted Root inside the Security container), and then assign supervisor rights to the container.
You must manually create a User Application Administrator account in the eDirectory Identity Vault for the Roles Based Provisioning Module to install correctly. The User Application Administrator account must be a trustee of the top container and must have Supervisor rights to the container.
When you create the User Application Administrator account, you must assign a password policy to this new user account. For more information, see Creating Password Policies
in the Password Management Administration Guide.
The integrated installer for Identity Manager creates a default User Application Administrative account as cn=uaadmin.ou=sa.o=data. Designer pre-populates fields with this account name. When using the standalone installation program, you can create the same account name or use a different account name.
To create the permissions for the User Application Administrator account, run the following commands in an LDAP Data Interchange Format (LDIF) file:
dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 1#subtree#[Root]#[Entry Rights] dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#description dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#directReports dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#mail dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#manager dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#photo dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvQueryList dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvUserPrefs dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#telephoneNumber dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#title dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 17#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[Entry Rights] ACL: 35#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[All Attributes Rights]