Make sure that you secure access to Identity Vaults and to Identity Manager objects.
Physical Security: Protect access to the physical location of the servers where an Identity Vault is installed.
File System Access: The security of the file system for Identity Manager is critical to ensuring the security of the system as a whole. Verify that the directories containing eDirectory, the Metadirectory engine, and the Remote Loader are accessible only to the appropriate administrators.
There is an issue with the file system when the Remote Loader is installed on a Windows 2000 server. For more information, see TID 3243550, Securing a Remote Loader Install on a Microsoft Windows 2000 Server.
Access Rights: Identity Manager requires Administrative rights to create Identity Manager objects and configure drivers. Monitor and control who has rights to create or modify the following:
An Identity Manager driver set
An Identity Manager driver
Driver configuration objects (filters, style sheets, policies), especially policies that are used for password retrieval or synchronization
Password policy objects (and the iManager task for editing them), because they control which passwords are synchronized to each other, and which Password Self-Service options are used
In addition to the eDirectory standard object-based access controls, Identity Manager lets you assign trustee rights to perform only certain tasks on an Identity Manager driver, rather than just granting full Supervisor rights to the driver object. For example, you can assign trustee rights so that one user can only configure the driver object (create and modify object properties), while another user can only start and stop the driver.
Identity Manager provides the following driver object attributes that enable role-based access:
|
Attribute |
Description |
|---|---|
|
DirXML-AccessRun |
Start and stop Identity Manager drivers and jobs |
|
DirXML-AccessMigrate |
Manage migration operations into the Identity Vault |
|
DirXML-AccessSubmitCommand |
Manage the driver’s pass-through commands |
|
DirXML-AccessCheckObjectPassword |
Manage the driver’s check object password commands |
|
DirXML-AccessConfigure |
Manage the driver’s configuration and job configuration |
|
DirXML-AccessManage |
View and modify the driver’s cache file contents |
Setting trustee rights to these attributes grants access to the associated Identity Manager verbs and sub-verbs. Read access lets users view state (get verb state), and Write access lets users modify or change state (set verb state.) For example, granting Read access to a driver object’s DirXML-AccessRun attribute lets the user get the driver state (started or stopped.) Granting Write access lets the user set the driver state (change from started to stopped, or vice versa.)
The goal of providing this attribute-based access to driver tasks is to let you create well-defined administrative roles, perhaps using the eDirectory Administrative Role object, that let users perform certain management tasks without exposing all management functionality. Creating these roles can go beyond providing access to the DirXML-Access attributes described above and can include access rights to other attributes, as well as access to other Identity Manager objects. The following examples demonstrate the flexibility available for creating administrative roles:
Start/Stop Driver Admin: This administrative role lets the assigned user start and stop all drivers in a given driver set. It requires the following access rights:
Browse rights to the Driver Set object
Read and Write access, with inheritance, to the DirXML-AccessRun attribute of the Driver Set object
Driver Admin: This administrative role lets the assigned user manage a single Driver object. It requires the following access rights:
Browse and Create rights to the Driver object
Read and Write access to [All Attribute Rights] in the Driver object
NOTE:Make sure the rights are inherited so the driver Admin can also manage the driver’s policy objects.
Information about using iManager to grant eDirectory access rights is available in the iManager Administration Guide.