search cancel

CREATE USERS WITH THE SAME PRIVILEGES AS ETAADMIN AND DSAADMIN USERS

book

Article ID: 189433

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Customer asked how to create users with the same privileges as out of the box etaadmin and dsaadmin users.
This may be needed because of auditing requirements.

Environment

Release : 14.X

Component : CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

'dsaadmin' user (cn=dsaadmin,ou=im,ou=ca,o=com) is defined as a super-user using CA Directory access controls.
Please see this document for details: CA Directory Access Controls
It is possible to have more than one super-user in one DSA (for instance by adding access control group), but this is not recommended because super-user is granted full level of access to the whole DIT served by the DSA.
Much better way is to configure an admin-user instead of a new super-user.
Using 'dsa' OS user you need to edit access control config file /opt/CA/Directory/dxserver/config/access/vapp-default.dxc
The above file contains settings for imadmin user to be an admin-user, just need to uncomment 'set admin-user' command in the file.
admin-user can be granted access to required sub-tree instead of a full tree, and also restricted set of permissions can be granted.
All above information is applicable to Virtual Appliance (vApp)

'etaadmin' user is a provisioning administrator.
The easiest way to create a new provisioning administrator is to duplicate etaadmin user using Provisioning Manager application.
To do that:
  • Login into IM Provisioning Manager as 'etaadmin' user
  • Navigate Users->Search
  • Select 'etaadmin' user and choose 'duplicate' from context menu (i.e. right-click menu)
  • Provide username and password for the new administrator