To create and configure the configuration objects and job for quick onboarding of identity, resources, and permission assignments, the new policies use two administrative accounts: the Administrative user for the Identity Vault and a Resource Administrator for the User Application:
Identity Manager Driver Administrator: Set this administrative user in the driver’s Security Equivalence attribute when you deploy the driver. The policies use the user specified by the Security Equivalence attribute. This user needs the rights to create and modify the driver policy objects and to execute the PermissionOnboarding job, which is part of the driver package.
User Application Resource Administrator: This administrative user performs the following tasks:
Creates resource objects
Triggers cache flush and entitlement refresh actions
Assigns and revokes resource assignments
For the User Application Administrator user, NetIQ recommends that you create a new user. For example, you can create the new user ResourceAdmin,OU=sa,O=data and configure the following rights for this user in the User Application:
Assign Role, Resource Creation, and Assignment Rights: Click Administration > RBPM Provisioning and Security > Administrator Assignments > Assign System Role Administrator, select Domain and assign the following rights to the user:
Provisioning: Select All Permissions.
Resource: Select All Permissions.
Role: Select All Permissions.
NOTE:You need to assign each set of Domain permissions separately for the user.
Assign Application Cache Refresh Rights: In the User Application, click Administration > Application Configuration > User Application Administrator Assignment, then add the user to the Current Assignments list.
NOTE:This user account is also used to filter the duplicate entitlement events occurring on the Subscriber channel as a result of auto-reconciliation of resource assignments.