The Identity Manager Service user account (service account) for synchronizing an Active Directory environment requires the following access rights to the synchronization base object:
- Members of the Active Directory group “Domain administrators“
Due to the Active Directory structure, the Identity Manager Service user account should be a subdomain member in the group “Enterprise Admins” in a hierarchical domain structure.
Necessary Access Rights Explained
It is necessary to permit read-write access on every type of object through the Active Directory service for complete synchronization of Active Directory objects as defined by the configuration supplied in Identity Manager. Not only that, because essential functionality of a user account in Active Directory is partially stored as an entry in the Discretionary Access Control List (DACL), it is necessary to modify the DACL. For example, “UserCanNotChangePassword” for user account, “AllowWriteMembers” for a group. Modifying a DACL assumes a wide range of permissions.
If using a user account to modify a DACL, which does not have “full control” access to the corresponding Active Directory object, the changes are only accepted under the following conditions.
- The user account is object owner.
- The user account is member of the same primary group as the object owner. This is normally the group “Domain administrators”.
Otherwise the modifications are rejected. It is possible to initiate a change of ownership if “Take Ownership” access is assigned to the user account and thus to change the DACL. However, this falsifies the permissions state of the Active Directory object and is not recommended.
A reasonable minimal configuration for the synchronization user account cannot, therefore, be recommended because it does not differ in terms of permissions from a member of the group “Domain administrators”.
Tips for “Read Only” Access Rights
Basically, the part of the synchronization with Active Directory that loads the Active Directory objects into the Identity Manager database, also works when the access rights are read-only and no write access is available.
The following problems can occur:
- In order to incorporate a user account with read-only access into a group, which may not be the user account’s primary group, Identity Manager Service must have at least write access for the group object.
- An error condition can occur between the Identity Manager database and Active Directory data when parts of Active Directory that are read-only are added or modified through the Identity Manager administration tools or imported objects. These cases can be excluded with the suitable menu navigation in the administration tools, Identity Manager object access rights and by taking appropriate precautions when importing.