1.2 Identity Vault Structure

The Identity Vault structure is predefined to suit most of your Identity Manager deployments.

Figure 1-1 Identity Vault Structure

Figure 1-1 depicts the Identity Vault structure for the Identity Manager. This structure is primarily useful for a single-environment installation. This is the default structure for small and medium Identity Manager deployments. Multi-tenant environments might have a slightly different structure. Also, you cannot organize large and distributed trees in this way. This type of tree structure is created when you create a new tree through the integrated installer.

Identity Manager 4.0 and later mostly uses organization containers, so that users, groups, and service admins are placed in the same container. You should use organizations if possible and use organizational units where it makes sense. The Identity Manager 4.0 and later structure is set up for scalability by having three main components:

1.2.1 Security

The security container is a special container created during the installation of the Identity Vault. It is designated as cn=security instead of dc, o, or ou. This container holds all security objects for the Identity Vault. For example, it contains the certificate authority and password policies.

1.2.2 Data

The data container holds groups, users, role admins, devices, and others. This is the data that makes up your system. The groups, users, and sa containers are organizational units. You can have additional organizational units to structure your data according to your organizational practices.


The Service Admins (ou=sa) container holds all user application administrator objects and service administrator accounts.

1.2.3 System

The system container is an organization. It designated as o=system. This container holds all of the technical and configuration information for your Identity Vault and for the Identity Manager system. The system container holds four main subcontainers:

  • sa or service admin users / super user / service accounts

  • servers

  • driver sets

  • services


The Service Admins container holds administrative objects for the Identity Vault and drivers. Only admin users can access the system subtree. The default Identity Vault admin is admin.sa.system.


The server objects have many different objects associated with them that must reside in the same container as the server object. As you add more servers into your tree, scrolling through all of those objects can become very cumbersome.

You should have all server objects under the servers.system container. However, an administrator can create individual server containers for each of the servers deployed in the environment. The name of the container is the name of the server object. All objects associated with the server (volumes, licenses, certificates) are in place and it is much easier to find the objects you need.

This structure is designed for scalability, so if you have 10 or 100 servers, it is easy to find the objects associated with a single server.

Driver Sets

Driver sets are created as a separate partition during the Metadirectory server configuration. All driver set objects are stored in the system container. Your Identity Manager 4.0.2 system can have multiple driver sets. This structure allows you to scale by adding more driver sets to the system container. Role-based services for iManager are also stored in the system container.