Security Equivalence refers to an object being equivalent in rights to another object. You can define and deploy security equivalences objects for drivers in the Identity Vault. For example, an Oracle database driver contains a policy to create a user in the Identity Vault in a container every time a user is created in the database, but the driver doesn't have enough permissions on the container to create the user, thus the process fails.
The driver must run with Security Equivalence to a user with sufficient rights. You can set the driver equivalent to an Admin or a similar user. For stronger security, you can define a user with minimal rights necessary for the operations you want the driver to perform.The driver user must be a trustee of the containers where synchronized users and groups reside, with the rights listed inTable 1-1. Inheritance must be set for [Entry Rights] and [All Attribute Rights].
Table 1-1 Base Container Rights Required by the Driver Security-Equivalent User
Operation |
[Entry Rights] |
[All Attribute Rights] |
---|---|---|
Subscriber notification of account changes (recommended minimum) |
Browse |
Compare and Read |
Creating objects in the Identity Vault without group synchronization |
Browse and Create |
Compare and Read |
Creating objects in the Identity Vault with group synchronization |
Browse and Create |
Compare, Read, and Write |
Modifying objects in the Identity Vault |
Browse |
Compare, Read, and Write |
Renaming objects in the Identity Vault |
Browse and Rename |
Compare and Read |
Deleting objects from the Identity Vault |
Browse and Erase |
Compare, Read, and Write |
Retrieving passwords from the Identity Vault |
Browse and Supervisor |
Compare and Read |
Updating passwords in the Identity Vault |
Browse and Supervisor |
Compare, Read, and Write |
If you do not set Supervisor for [Entry Rights], the driver will not have rights to set passwords. If you do not want to set passwords, you can set the Subscribe setting for the User class nspmDistributionPassword attribute to Ignore in the filter to avoid error messages. For details about accessing and editing the filter, see the appropriate policy publication on the Identity Manager 4.0.2 Documentation Web site. For complete information about rights, see "Setting up Driver Security Equivalences" in the Designer 4.0.2 for Identity Manager 4.0.2 Administration Guide.