7.3 Changing the Default Administrator Assignments after Installation

The following administrative accounts are assigned during the initialization of the User Application:

  • Compliance Administrator

  • Provisioning Administrator

  • RBPM Configuration Administrator

  • Resource Administrator

  • Roles Administrator

  • Security Administrator

Modifying the mappings for these administrative accounts in the configupdate utility after the installation and initialization process will not work in this release. The check for assigning the administrative roles happens only once. At this time, a property is set that keeps track of when these roles were assigned.

NOTE:To modify the default administrator assignments for the User Application, you must first edit the configupdate.sh or configupdate.bat file and change the -edit_admin property to true. You can then use configupdate to modify the default assignments.

If you want to modify the default assignments for the administrative roles without deleting the Driver (which would cause all role assignments to be removed), you need to perform one of the following actions:

7.3.1 Granting or Removing Assignments in the User Application

To grant or remove the role assignment through the User Application:

  1. Log in to the User Application as the Security Administrator.

  2. Go to the Roles Catalog on the Roles and Resources tab.

  3. Select the administrative role you want to change (for example, the Provisioning Administrator).

  4. Select Edit.

  5. Select the Assignments tab.

  6. If you want to remove the current assigned user, then select the user and press the Remove link.

  7. To add a user, press the assign button where you will need to provide a description and the user to assign the role to and the press the Assign button.

7.3.2 Changing the Assignments in Configupdate Utility

To change any or all of the administrative assignments using Configupdate utility:

  1. Stop the Application Server that the User Application WAR is deployed on.

  2. Stop the User Application driver.

  3. Stop the Role and Resource Service Driver.

  4. Launch the configupdate utility.

  5. Change the mappings for the administrative roles outlined above as required.

  6. Click Show Advanced Options.

  7. In Miscellaneous, check Reinitialize RBPM Security and click OK.

  8. (Conditional) To remove the existing (default) users that have been granted the role assignment. Log in to iManager and remove the user from the role, then the role from the user.

  9. Restart the User Application.

  10. Restart the User Application driver.

  11. Restart the Role and Resource Service Driver.

  12. Access the User Application and in the logs you will see the administrative roles will be issued.

7.3.3 Changing the Default Administrator Assignments without an Administrator Account

The default administrator assignment settings are established at the time you initialize the User Application driver. After the driver has been initialized, you can change the default settings on the Administrator Assignments page, as long as your admin user account still exists. If the account has been deleted, deactivated, or moved to a different location, you will not be able to log in to make the new assignments. In this case, you need to reset the values in the configupdate utility or delete the initialization property in the User Application driver.

To change the administrator assignment values in the configupdate utility. See, Changing the Assignments in Configupdate Utility.

Alternatively, you can delete the initialization parameter in the User Application driver using iManager:

  1. Log in to iManager.

  2. In Objects tab, browse to Driver Set > User Application Driver > AppConfig > AppDefs and select Configuration.

  3. In General tab, open XMLData.

  4. Find and remove the </property> tag that contains the following </key> tag.

    <key>com.novell.idm.security.domain-admin.initialized</key>

    For example:

    <property>
            <key>com.novell.idm.security.domain-admin.initialized</key>
            <value>20090831124642Z</value>
    </property>
  5. Click OK.

  6. Restart the User Application driver and the Role and Resource Service driver.

  7. Restart the Identity Applications.