34.2 Assign Rights to Identity Vault Administrator and User Application Administrator Account

The Identity Vault Administrator is a user who has rights to configure the Identity Vault. This is a logical role that can be shared with other administrative user types.

The Identity Vault Administrator needs the following rights:

  • Supervisor rights to the User Application driver and all the objects it contains. You can accomplish this by setting the rights at the driver container level and making them inheritable.

  • Supervisor Entry rights to any of the users that are defined through the directory abstraction layer user entity definition. This should include Write attribute rights to objectClass and any of the attributes associated with the DirXML-EntitlementRecipient, srvprvEntityAux and srvprvUserAux auxiliary classes.

  • Supervisor rights to the container object cn=DefaultNotificationCollection, cn=Security. This object persists email server settings used for automated provisioning emails. It can contain SecretStore credentials for authenticating to the email server itself.

  • Supervisor rights to the container object cn=Authorized Login Methods, cn=Security. During the User Application installation the SAML Assertion object is created in this container.

  • Ensure that you have supervisor rights to the cn=Security container before you install user application. During the User Application installation, the container cn=RBPMTrustedRootContainer is created under the cn=Security container.

    Alternatively, manually create the cn=RBPMTrustedRootContainer,cn=Security container (create an object called Trusted Root Container with object class NDSPKI:Trusted Root inside the Security container), and then assign supervisor rights to the container.

You must manually create a User Application Administrator account in the eDirectory Identity Vault for the Roles Based Provisioning Module to install correctly. The User Application Administrator account must be a trustee of the top container and must have Supervisor rights to the container.

When you create the User Application Administrator account, you must assign a password policy to this new user account. For more information, see Creating Password Policies in the Password Management Administration Guide.

The integrated installer for Identity Manager creates a default User Application Administrative account as cn=uaadmin.ou=sa.o=data. Designer pre-populates fields with this account name. When using the standalone installation program, you can create the same account name or use a different account name.

To create the permissions for the User Application Administrator account, run the following commands in an LDAP Data Interchange Format (LDIF) file:

dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 1#subtree#[Root]#[Entry Rights]
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#description
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#directReports
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#mail
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#manager
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#photo
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvQueryList
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvUserPrefs
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#telephoneNumber
  dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#title

dn: %%RBPM_USER_APP_CONTAINER_DN%%
changetype: modify
add: ACL
ACL: 17#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[Entry Rights]
ACL: 35#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[All Attributes Rights]