Users must have a specific set of rights in the Identity Vault and specific role assignments in the Roles Based Provisioning Module to use the Role Mapping Administrator.
The best practice is to create a user that is used for administration of the Role Mapping Administrator. All other users that use the Role Mapping Administrator should have their rights limited to match their job duties.
An administrative user needs the following minimal rights to use the Role Mapping Administrator:
Browse entry rights so they can select objects in the configuration panel of the Role Mapping Administrator. For example the Root User Container, Driver Discover DN, and the User Application driver DN.
Browse entry and read rights on the users contained within the Root User container defined in the configuration panel of the Role Mapping Administrator. The list of potential role owners is derived by these rights.
Browse entry rights on the active Driver Set object that is located under the Driver Discovery DN as defined in the Role Mapping Administrator configuration panel.
Inherited browse rights and read attribute rights on the drivers that participate in role mapping. The Role Mapping Administrator needs access to the entitlements and entitlement configuration objects that are contained within the drivers that participate in role mapping.
Inherited browse entry and read attribute rights on the User Application driver. The Role Mapping Administrator needs access to DAL category definitions, role configuration objects, and role definition containers.
Inheritable supervisor rights to the roleDefs.RoleConfig.AppConfig container within the UAD. All role adds, modifies, and deletes are done with these rights. Rights can be pared down as needed.
You can make these assignments to specific users or you can make the assignments to a group or a container, then assign users to the group or add users to the container.
Log in to iManager as an administrative user for your Identity Vault.
Select
in the toolbar, then browse to and select the user, group, or container you want to assign rights to.Select the object, then click
> .Add the rights as defined above, then click
to save the changes.The administration or configuration users must be members of the Role Manager role or the Role Module Administrator role in the Roles Based Provisioning Module. You can make these role assignments to specific users or you can make the assignments to a group or a container, then assign users to the group or add users to the container.
Log in to the Roles Based Provisioning Module as an administration user.
Click
> .Select
, , or to make the role assignment.Search for the user, group, or container, then select the desired object.
Click
.Fill in the following fields:
Initial Request Description: Specify a reason for requesting the role.
Select Roles: Search for the
role and the role, select the roles, then click .Effective Date: (Optional) Specify a date this assignment is effective.
Expiration Date: (Optional) Select whether there is an expiration date for this assignment.
Click
to make the assignments.A user should be only granted the minimal rights required to fulfill their job duties. You can restrict rights by restricting the rights to the roles the user is assigned to and restricting their rights in the Identity Vault as well. The extension for SAP environments solutions guide contains a solution specific to this scenario. For more information, see Managing Roles
in the Novell Compliance Management Platform Extension for SAP Environments 1.0 Solutions Guide.