Administrative Roles

While configuring an administrative group member, the root administrator has to explicitly assign an administrative role to the member.

The roles that can be assigned to an administrative member are given below:

  • Audit administrator (AuditAdmin) - Members of the administrative group who are assigned the Audit Administrator role have unrestricted access to:
    • Audit log
    • All other server logs
    • Default log management settings (cn=Default, cn=Log Management, cn=Configuration)
  • Directory Data Administrator (DirDataAdmin) - Members of the administrative group who are assigned this role will gain unrestricted access to all the entries in the RDBM back-end. However, for setting the password attribute of RDBM entries, members will still have to follow the usual password policy rules that are in effect.
  • No administrator (NoAdmin) - If the root administrator assigns No Administrator role to the configuration file users, then the users will cease to have any administrative privileges. By defining this role the root administrator can revoke all the administrative privileges of an administrative group member
  • Password administrator (PasswordAdmin) - Members of the administrative group who are assigned the Password Administrator role are authorized to unlock other user's accounts or change passwords of users in RDBM back-end. However they are not authorized to change passwords of Global Administrative Group Member accounts although they can unlock their accounts. Also, they are not restrained by password policy constraints that are set on the server. They can also add and delete the userpassword field of entries in RDBM back-end but are not allowed to make changes to users defined in the configuration file. The changes made by users who are assigned this role are not affected by ACLs. However, when users change their own password, the usual administration password policy rules will apply to the new password.
  • Replication administrator (ReplicationAdmin) - Members of the administrative group who are assigned the Replication Administrator role are authorized to update replication topology objects. The changes made by members with this role are not affected by ACLs or any other configuration file settings.
  • Schema administrator (SchemaAdmin) - Members of the administrative group who are assigned the Schema Administrator role have unrestricted access to schema back-end only.

The following table gives cross references of various extended operations that administrative group members are allowed to issue.

Extended Operations Audit Admin Directory Data Admin Replication Admin Schema Admin Password Admin No Admin
Start TLS - Request to start Transport Layer Security. OID = 1.3.6.1.4.1.1466.20037 Yes Yes Yes Yes Yes Yes
Event Registration - Request registration for events in SecureWay® V3.2 Event support. OID = 1.3.18.0.2.12.1 Yes Yes Yes Yes Yes Yes
Event Unregister - Request Unregister for events that were registered for using an Event Registration Request. OID = 1.3.18.0.2.12.3 Yes Yes Yes Yes Yes Yes
Begin Transaction - Begin a Transactional context for SecureWay V3.2. OID = 1.3.18.0.2.12.5 Yes Yes Yes Yes Yes Yes
End Transaction - End Transactional context (commit/rollback) for SecureWay V3.2. OID = 1.3.18.0.2.12.6 Yes Yes Yes Yes Yes Yes
Cascading Control Replication - This operation performs the requested action on the server it is issued to and cascades the call to all consumers beneath it in the replication topology. OID = 1.3.18.0.2.12.15 No Yes Yes No No No
Control Replication - This operation is used to force immediate replication, suspend replication, or resume replication by a supplier. This operation is allowed only when the client has update authority to the replication agreement. OID = 1.3.18.0.2.12.16 No Yes Yes No No No
Control Replication Queue - This operation marks items as "already replicated" for a specified agreement. This operation is allowed only when the client has update authority to the replication agreement. OID = 1.3.18.0.2.12.17 No Yes Yes No No No
Quiesce or Unquiesce Server - This operation puts the subtree into a state where it does not accept client updates (or terminates this state), except for updates from clients authenticated as directory administrators where the Server Administration control is present. OID = 1.3.18.0.2.12.19 No Yes Yes No No No
Clear Log Request - Request to Clear log file. OID = 1.3.18.0.2.12.20 Yes No No No No No
Get Lines Request - Request to get lines from a log file. OID = 1.3.18.0.2.12.22 Yes Yes Yes Yes Yes No
Number of Lines Request - Request number of lines in a log file. OID = 1.3.18.0.2.12.24 Yes Yes Yes Yes Yes No
Update Configuration Request - Request to update server configuration for IBM Directory Server. OID = 1.3.18.0.2.12.28 Yes No Yes No No No
DN Normalization Request - Request to normalize a DN or a sequence of DNs. OID = 1.3.18.0.2.12.30 Yes Yes Yes Yes Yes Yes
Kill Connection Request - Request to kill connections on the server. The request can be to kill all connections or kill connections by bound DN, IP, or a bound DN from a particular IP. OID = 1.3.18.0.2.12.35 No Yes No No No No
User Type Request - Request to get the User Type of the bound user. OID = 1.3.18.0.2.12.37 Yes Yes Yes Yes Yes Yes
Group Evaluation - This operation is used in a distributed directory environment to determine all groups that a particular DN is a member of. OID = 1.3.18.0.2.12.50 No Yes No No No No
Topology Replication - This operation is used to replicate the objects that define the topology of a particular replication context, such as the replication agreements for that context. Any user with update rights to the Replication Group Entry of the context is allowed to issue this extended operation. OID = 1.3.18.0.2.12.54 No Yes Yes No No No
Event Update - Request to reinitialize the event notification configuration (this operation can only be initiated by the server, not any user). OID = 1.3.18.0.2.12.31 No No No No No No
Log Access Update - Request to reinitialize the log access plugin configuration (this operation can only be initiated by the server, not any user). OID = 1.3.18.0.2.12.32 No No No No No No
Unique Attributes - Request to get the duplicate values for an attribute. OID = 1.3.18.0.2.12.44 No Yes No No No No
Account Status - This operation is used to determine if an account is locked by password policy. OID = 1.3.18.0.2.12.58 No Yes No No No No
Get Attributes Type - Request attributes types. OID = 1.3.18.0.2.12.46 No Yes No Yes No No

The following table gives cross references of various objects that different administrative group members are allowed to access.

Table 1. Permissions assigned to Administrative roles for accessing various objects
Audit Settings / Audit logs RDBM Backend Replication Objects Schema Backend Configuration Backend
  Read Write Read Write Read Write Read Write Read Write
Audit Administrator Yes Yes No** No No** No Yes No Yes No
Directory Data Administrator No No Yes Yes Yes Yes Yes No Yes No
Replication Administrator No No No** No** Yes Yes Yes No Yes No
Schema Administrator No No No** No No** No Yes Yes Yes No
Password Administrator No No No** Yes** No** No Yes No Yes No
No Administrator No No No** No** No No Yes No Yes No
  • ** - For access to these objects the administrative roles give no special authority, but the user may still have access through normal ACL evaluation.
Note: Proxy will treat the admin group members having any administrative role as anonymous and will accordingly apply access rules.