2.1 Administrative Users

The identity applications have several administrative users. During installation, you establish the following administrators:

2.1.1 Identity Vault Administrator

A user who has rights to configure the Identity Vault. This is a logical role that can be shared with other administrative user types.

The Identity Vault Administrator needs the following rights:

  • Supervisor rights to the User Application driver and all the objects it contains. You can accomplish this by setting the rights at the driver container level and making them inheritable.

  • Supervisor Entry rights to any of the users that are defined through the directory abstraction layer user entity definition. This should include Write attribute rights to objectClass and any of the attributes associated with the DirXML-EntitlementRecipient, srvprvEntityAux and srvprvUserAux auxiliary classes.

  • Supervisor rights to the container object cn=DefaultNotificationCollection, cn=Security. This object persists email server settings used for automated provisioning emails. It can contain SecretStore credentials for authenticating to the email server itself.

  • Supervisor rights to the container object cn=Authorized Login Methods, cn=Security. During the Identity Applications installation the SAML Assertion object is created in this container.

  • Ensure that you have supervisor rights to the cn=Security container before you install user application. During the Identity Applications installation, the container cn=RBPMTrustedRootContainer is created under the cn=Security container.

    Alternatively, manually create the cn=RBPMTrustedRootContainer,cn=Security container (create an object called Trusted Root Container with object class NDSPKI:Trusted Root inside the Security container), and then assign supervisor rights to the container.

2.1.2 User Application Administrator

A user who has the rights to perform administrative tasks for the identity applications. This user has the following attributes:

  • Can manage Identity Manager, identity applications administration, and client settings.

  • Can use iManager to administer workflow tasks, such as enabling, disabling, or terminating in-process workflows.

  • Does not have any special privileges within the identity applications.

  • Does not need any special directory rights because it controls application-level access to the identity applications from the Dashboard. Although a User Application Administrator has the ability to customize the look and feel of the applications, the identity applications use the LDAP administrator credentials to modify the selections in the Identity Vault.

  • Can manage the password for this account.

    A feature of password self-service is password synchronization status. To enable the User Application Administrator to view the password synchronization status for other users (for troubleshooting or other reasons), you should create a PasswordManagement group and assign one or more users to this group. The members of this group are allowed to view the password synchronization status of other users. If you choose to create this group, it must:

    • Be named PasswordManagement.

    • Be given the privileges to the Identity Vault. The group must have rights to read the user’s eDirectory object attribute for users whose password synchronization status they need to view.

    IMPORTANT:NetIQ Self Service Password Reset (SSPR) is the default password management program for Identity Manager. For more information, see Managing Your Password in the NetIQ Identity Manager - User’s Guide to the Identity Applications.