A Forum reader recently asked:
"We are planning to change the password of Admin user in eDir tree. Before that I wanted to confirm the services which depends on admin password. I know that IDM driver configuration is one place where I will have to add the new admin password. Is there any other applications which requires admin password to run?"
And here is the response from Aaron Burgemeister ...
This may be a good time to make a plug about restricting the permissions given to IDM at this point. If you use the original admin account for everything under the sun, now is the time to stop and instead use another account or object in the tree with appropriate permissions.
For example, are you really creating/modifying objects at the root of the tree, or are you doing it from an Organization or Domain high up in the tree? If the latter (likely), then create an object with those rights specifically that you need and use it. In the last couple years, aside from services needing to physically sign into the tree (UserApp admin), I have used Organizational Roles exclusively and created one per driver.
Each driver gets its rights from that object, and that object is given the rights that the driver specifically needs. If a bad policy is written to do something unexpected, then errors show up fairly quickly because of a lack of rights. If I ever decide to delete my current admin user and create a new one hidden somewhere else, it doesn't matter - because all rights are done through objects dedicated to the drivers themselves. Passwords for accounts are no longer given to IDM folks because there is no account with which to log in (Org Roles don't log in ... they have no passwords) so there is no way for the account to be compromised because of the sharing of credentials.
Keep in mind that IDM links multiple environments, so a foul-up in one environment can lead to the same change in another if things are not configured properly. Security is all about a layered defense, and rights management is one of the easiest to do with IDM. It only takes one more step than you've already done if you are using 'admin' for everything.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.