The Identity Vault Administrator is a user who has rights to configure the Identity Vault. This is a logical role that can be shared with other administrative user types.
The Identity Vault Administrator needs the following rights:
Supervisor rights to the User Application driver and all the objects it contains. You can accomplish this by setting the rights at the driver container level and making them inheritable.
Supervisor Entry rights to any of the users that are defined through the directory abstraction layer user entity definition. This should include Write attribute rights to objectClass and any of the attributes associated with the DirXML-EntitlementRecipient, srvprvEntityAux and srvprvUserAux auxiliary classes.
Supervisor rights to the container object cn=DefaultNotificationCollection, cn=Security. This object persists email server settings used for automated provisioning emails. It can contain SecretStore credentials for authenticating to the email server itself.
Supervisor rights to the container object cn=Authorized Login Methods, cn=Security. During the User Application installation the SAML Assertion object is created in this container.
Ensure that you have supervisor rights to the cn=Security container before you install user application. During the User Application installation, the container cn=RBPMTrustedRootContainer is created under the cn=Security container.
Alternatively, manually create the cn=RBPMTrustedRootContainer,cn=Security container (create an object called Trusted Root Container with object class NDSPKI:Trusted Root inside the Security container), and then assign supervisor rights to the container.
You must manually create a User Application Administrator account in the Identity Vault for the Roles Based Provisioning Module to install correctly. The User Application Administrator account must be a trustee of the top container and must have Supervisor rights to the container.
When you create the User Application Administrator account, you must assign a password policy to this new user account. For more information, see Creating Password Policies
in the Password Management Administration Guide.
To create the permissions for the User Application Administrator account, you must create an LDAP Data Interchange Format (LDIF) file specific to your environment. Use the following example LDIF for reference.
dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 1#subtree#[Root]#[Entry Rights] dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#description dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#directReports dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#mail dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#manager dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#photo dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvQueryList dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#srvprvUserPrefs dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#telephoneNumber dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 3#subtree#%%RBPM_USER_APP_CONTAINER_DN%%#title dn: %%RBPM_USER_APP_CONTAINER_DN%% changetype: modify add: ACL ACL: 17#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[Entry Rights] ACL: 35#subtree#%%RBPM_USER_APP_ADMIN_DN%%#[All Attributes Rights]
NOTE:Copying the content as is might insert some hidden special characters in the file. If you receive a ldif_record() = 17 error message when you add these attributes to the Identity Vault, insert an extra space between the two DNs.