-
Title
Identity Manager Service Account Required Permissions -
Description
When configuring and setting up the various components of Identity Manager, oftentimes Active Directory Administrators are hesitant to grant any accounts associated with Identity Manager 'Domain Administrator' credentials.
-
Cause
Although some aspects of Identity Manager will work with a different set of permissions, in order to have full access for creating, changing and deleting groups, 'Domain Administrators' is absolutely a product configuration requirement for the service account. -
Resolution
Reviewing the Identity Management documentation under the section 'Identity Manager Service Access Rights Necessary for Synchronization with Active Directory' (Identity Management Administration Guide) it is clearly stated:
"The Identity Manager Service user account for synchronizing an Active Directory environment requires the following access rights to the synchronization base object: Members of the Active Directory group 'Domain Administrators' "
This set of permissions is necessary for complete synchronization of Active Directory objects as defined by the configuration supplied in Identity Manager. Furthermore, essential functionality of a user account in Active Directory is partially stored as an entry in the Discretionary Access Control List (DACL) and it is necessary to modify the DACL. For this and other reasons, a reasonable minimal configuration for the synchronization user account cannot be recommended for anything other then membership in the group 'Domain Administrators'.