Administrative access

Use administrative access to control access to specific administrative tasks.

The IBM directory server allows the following types of administrative access:

• Projected IBM® i administrator: A client authenticated as a projected user (an LDAP entry representing an operating system user profile) with *ALLOBJ and *IOSYSCFG special authorities has authority to change the directory configuration using LDAP interfaces (the cn=configuration subtree, or the Web administration tool "Server administration" tasks), as well as act as an LDAP administrator for other directory entries (entries stored in one of the DB2 suffixes or the schema). Only projected IBM i administrators can change the server configuration.
• LDAP administrator: The Directory Server allows a single user ID (DN) to be the primary LDAP server administrator. The Directory Server also allows projected operating system user profiles to be LDAP administrators. The LDAP server administrators can perform a long list of administrative tasks such as managing replication, schema, and directory entries.
• Group of administrative users: A projected IBM i administrator and LDAP administrator can appoint several users to be in the administrative group. Administrative group members are users that have been assigned a subset of administrative privileges. The administrative group is a way for the directory administrator to delegate a limited set of administrative tasks to one or more individual user accounts. Server administrative group members are explicitly assigned various roles that define the tasks that a group member is authorized to perform. These administrative roles include such specialized roles as Password Administrator and Replication Administrator. For more information, see “Adding, editing, and removing administrative group members”.