2.6 Establishing a Security-Equivalent User

The driver must run with Security Equivalence to a user with sufficient rights. You can set the driver equivalent to ADMIN or a similar user. For stronger security, you can define a user with only the minimal rights necessary for the operations you want the driver to perform.

The driver user must be a trustee of the containers where synchronized users and groups reside, with the rights shown in Table 2-2. Inheritance must be set for [Entry Rights] and [All Attribute Rights].

Table 2-2 Base Container Rights Required by the Driver Security-Equivalent User

Operation

[Entry Rights]

[All Attribute Rights]

Subscriber notification of account changes (recommended minimum)

Browse

Compare and Read

Creating objects in the Identity Vault without group synchronization

Browse and Create

Compare and Read

Creating objects in the Identity Vault with group synchronization

Browse and Create

Compare, Read, and Write

Modifying objects in the Identity Vault

Browse

Compare, Read, and Write

Renaming objects in the Identity Vault

Browse and Rename

Compare and Read

Deleting objects from the Identity Vault

Browse and Erase

Compare, Read, and Write

Retrieving passwords from the Identity Vault

Browse and Supervisor

Compare and Read

Updating passwords in the Identity Vault

Browse and Supervisor

Compare, Read, and Write

If you do not set Supervisor for [Entry Rights], the driver cannot set passwords. If you do not want to set passwords, set the Subscribe setting for the User class nspmDistributionPassword attribute to Ignore in the filter to avoid superfluous error messages. For details about accessing and editing the filter, see the appropriate policy publication on the Identity Manager 3.6.1 Documentation Web site.

For complete information about rights, see the Novell® eDirectory™ Administration Guide.