An Identity Manager driver requires the following minimum rights to the Identity Vault objects:
Read rights to the attributes in the Subscriber channel filter. The driver needs these rights at least to the objects within the scope of objects that the driver will be working on.
Read and Write rights to all objects and attributes in the Publisher filter for the scope of the objects that the driver works with. The driver must have Read rights to the objects outside its scope for appropriate matching rules.
Read rights to passwords of objects in the driver scope to set passwords.
Read rights to the DirXML Script policy objects.
Read and Write rights to the driver objects and objects under it for updating the following attributes:
DirXML-DriverStorage attribute on the driver object (resides in the driver object and regularly modified)
DirXML-State attribute (modified by the driver operation)
DirXML-StatusLog attribute (resides in driver, Publisher channel, and Subscriber channel objects)