The User Application assigns administrative tasks to Provisioning Application Administrators and User Application Administrators.
Table 9-1 Types of Administrator
You can assign these roles at installation and on the Security page on the tab of the Identity Manager User Application. When you assign these roles at installation, IDM writes the assignments to the User Application configuration file, which is editable with the configupdate utility. But, at deployment of the WAR, the assignments are written to the User Application database. Thus, after you start the JBoss Application Server the first time after installation, you cannot change these assignments with the configupdate utility--they must be changed from the Security page.
The User Application Administrator performs administrative tasks for the Identity Manager User Application, using the panel of the Identity Manager User Application. The User Application Administrator does not have provisioning administration rights, and is considered an ordinary user while using the panel. There can be more than one User Application Administrator.
One user must be assigned to the User Application Administrator role at installation. The User Application Administrator created during installation can administer everything in the User Application including the Provisioning system and can designate other users as User Application Administrators or Provisioning Application Administrators.
A user who is to be a User Application Administrator should typically be located under the user root container specified in the User Application’s LDAP configuration. This enables the user to log in simply by username (instead of requiring the fully distinguished name each time).
The user who is a User Application Administrator does not need special directory rights because this role controls application-level access.
NOTE:If necessary, a User Application Administrator can assign permission for one or more end users to see and access specific pages on the tab. These permissions are assigned by using the Page Admin page on the tab. (For details, see Section 6.0, Page Administration.)
The Provisioning Application Administrator administers the Provisioning system and not the User Application. The Provisioning Application Administrator has rights and permissions for all functions (is essentially a “superuser”) within the panel.
A Provisioning Application Administrator is assigned at installation. Create at least one Provisioning Application Administrator as soon as possible after installation to keep your system secure. If there is no Provisioning Application Administrator, every logged-in user is treated as a Provisioning Application Administrator. This is not secure.
A Provisioning Application Administrator can assign other users to be Provisioning Application Administrators. However, he must be a User Application Administrator in order to get access to the provisioning administrator assignment page in the administration console.
You might prefer to locate a user who is to be a Provisioning Application Administrator under the user root container specified in the User Application’s LDAP configuration. This location enables the user to log in simply by username (instead of requiring the fully distinguished name each time).