Administering Rights for Identity Manager

0 Likes
over 13 years ago

Problem



A Forum reader recently asked:

"We are planning to change the password of Admin user in eDir tree. Before that I wanted to confirm the services which depends on admin password. I know that IDM driver configuration is one place where I will have to add the new admin password. Is there any other applications which requires admin password to run?"

And here is the response from Aaron Burgemeister ...

Solution



This may be a good time to make a plug about restricting the permissions given to IDM at this point. If you use the original admin account for everything under the sun, now is the time to stop and instead use another account or object in the tree with appropriate permissions.

For example, are you really creating/modifying objects at the root of the tree, or are you doing it from an Organization or Domain high up in the tree? If the latter (likely), then create an object with those rights specifically that you need and use it. In the last couple years, aside from services needing to physically sign into the tree (UserApp admin), I have used Organizational Roles exclusively and created one per driver.

Each driver gets its rights from that object, and that object is given the rights that the driver specifically needs. If a bad policy is written to do something unexpected, then errors show up fairly quickly because of a lack of rights. If I ever decide to delete my current admin user and create a new one hidden somewhere else, it doesn't matter - because all rights are done through objects dedicated to the drivers themselves. Passwords for accounts are no longer given to IDM folks because there is no account with which to log in (Org Roles don't log in ... they have no passwords) so there is no way for the account to be compromised because of the sharing of credentials.

Keep in mind that IDM links multiple environments, so a foul-up in one environment can lead to the same change in another if things are not configured properly. Security is all about a layered defense, and rights management is one of the easiest to do with IDM. It only takes one more step than you've already done if you are using 'admin' for everything.

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended