CREATE USERS WITH THE SAME PRIVILEGES AS ETAADMIN AND DSAADMIN USERS
Article ID: 189433
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
CA Identity Suite
Issue/Introduction
Customer asked how to create users with the same privileges as out of the box etaadmin and dsaadmin users.
This may be needed because of auditing requirements.
Environment
Release : 14.X
Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)
Resolution
'dsaadmin' user (cn=dsaadmin,ou=im,ou=ca,o=com) is defined as a super-user using CA Directory access controls.
Please see this document for details: CA Directory Access Controls
It is possible to have more than one super-user in one DSA (for instance by adding access control group), but this is not recommended because super-user is granted full level of access to the whole DIT served by the DSA.
Much better way is to configure an admin-user instead of a new super-user.
Using 'dsa' OS user you need to edit access control config file /opt/CA/Directory/dxserver/config/access/vapp-default.dxc
The above file contains settings for imadmin user to be an admin-user, just need to uncomment 'set admin-user' command in the file.
admin-user can be granted access to required sub-tree instead of a full tree, and also restricted set of permissions can be granted.
All above information is applicable to Virtual Appliance (vApp)
'etaadmin' user is a provisioning administrator.
The easiest way to create a new provisioning administrator is to duplicate etaadmin user using Provisioning Manager application.
To do that:
Please see this document for details: CA Directory Access Controls
It is possible to have more than one super-user in one DSA (for instance by adding access control group), but this is not recommended because super-user is granted full level of access to the whole DIT served by the DSA.
Much better way is to configure an admin-user instead of a new super-user.
Using 'dsa' OS user you need to edit access control config file /opt/CA/Directory/dxserver/config/access/vapp-default.dxc
The above file contains settings for imadmin user to be an admin-user, just need to uncomment 'set admin-user' command in the file.
admin-user can be granted access to required sub-tree instead of a full tree, and also restricted set of permissions can be granted.
All above information is applicable to Virtual Appliance (vApp)
'etaadmin' user is a provisioning administrator.
The easiest way to create a new provisioning administrator is to duplicate etaadmin user using Provisioning Manager application.
To do that:
- Login into IM Provisioning Manager as 'etaadmin' user
- Navigate Users->Search
- Select 'etaadmin' user and choose 'duplicate' from context menu (i.e. right-click menu)
- Provide username and password for the new administrator
Feedback
Yes
No
Powered by
