To create and configure the configuration objects and job for quick onboarding of identity, resources, and permission assignments, the new policies use two administrative accounts: the Administrative user for the Identity Vault and a Resource Administrator for the User Application:
Identity Manager Driver Administrator: Set this administrative user in the driver’s Security Equivalence attribute when you deploy the driver. The policies use the user specified by the Security Equivalence attribute. This user needs the rights to create and modify the driver policy objects and to execute the
job, which is part of the driver package.User Application Resource Administrator: This administrative user performs the following tasks:
Creates resource objects
Triggers cache flush and entitlement refresh actions
Assigns and revokes resource assignments
For the User Application Administrator user, we recommend you create a new user. For example, you can create the new user ResourceAdmin,OU=sa,O=data and configure the following rights for this user in the User Application:
Assign Role, Resource Creation, and Assignment Rights: Click
> , select and assign the following rights to the user:Provisioning: Select
.Resource: Select
.Role: Select
.NOTE:You need to assign each set of Domain permissions separately for the user.
Assign Application Cache Refresh Rights: In the User Application, click
> , then add the user to the list.NOTE:This user account is also used to filter the duplicate entitlement events occurring on the Subscriber channel as a result of auto-reconciliation of resource assignments.