1.9 Establishing a Security Equivalent User

Security Equivalence refers to an object being equivalent in rights to another object. You can define and deploy security equivalences objects for drivers in the Identity Vault. For example, an Oracle database driver contains a policy to create a user in the Identity Vault in a container every time a user is created in the database, but the driver doesn't have enough permissions on the container to create the user, thus the process fails.

The driver must run with Security Equivalence to a user with sufficient rights. You can set the driver equivalent to an Admin or a similar user. For stronger security, you can define a user with minimal rights necessary for the operations you want the driver to perform.The driver user must be a trustee of the containers where synchronized users and groups reside, with the rights listed inTable 1-1. Inheritance must be set for [Entry Rights] and [All Attribute Rights].

Table 1-1 Base Container Rights Required by the Driver Security-Equivalent User

Operation

[Entry Rights]

[All Attribute Rights]

Subscriber notification of account changes (recommended minimum)

Browse

Compare and Read

Creating objects in the Identity Vault without group synchronization

Browse and Create

Compare and Read

Creating objects in the Identity Vault with group synchronization

Browse and Create

Compare, Read, and Write

Modifying objects in the Identity Vault

Browse

Compare, Read, and Write

Renaming objects in the Identity Vault

Browse and Rename

Compare and Read

Deleting objects from the Identity Vault

Browse and Erase

Compare, Read, and Write

Retrieving passwords from the Identity Vault

Browse and Supervisor

Compare and Read

Updating passwords in the Identity Vault

Browse and Supervisor

Compare, Read, and Write

If you do not set Supervisor for [Entry Rights], the driver will not have rights to set passwords. If you do not want to set passwords, you can set the Subscribe setting for the User class nspmDistributionPassword attribute to Ignore in the filter to avoid error messages. For details about accessing and editing the filter, see the appropriate policy publication on the Identity Manager 4.0.2 Documentation Web site. For complete information about rights, see "Setting up Driver Security Equivalences" in the Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide.