Administrative group and roles
The administrative group enables 24 hour administrative capabilities without needing to share a single user ID and password among the administrators. It is a way for the LDAP root administrator defined in the configuration file to delegate a limited set of administrative tasks to one or more individual user accounts. Administrative group members are users that are added to the administrative group and assigned one or more administrative roles. These roles define the tasks that a group member is authorized to perform. The roles are assigned in the LDAP administrative group member entry or alternately the roles are assigned in RACF®.
The administrative roles supported in the z/OS® LDAP server are:
- Directory data administrator is allowed to administer all TDBM and LDBM backend entries and entries that exist under the cn=ibmpolicies suffix in the CDBM backend.
- No administrator is intended to quickly revoke the administrative group member's administrative privileges.
- Operational administrator is allowed to specify the PersistentSearch control on search requests.
- Password administrator is allowed to administer user passwords; for example, allowing a help desk to reset a user's password in the LDBM and TDBM backends.
- Replication administrator is allowed to administer advanced replication configurations.
- Root administrator is a super user (sum of all administrative roles, excluding no administrator role). This authority is equivalent to the authority of the adminDN in the LDAP server configuration file.
- Schema administrator is allowed to administer the schema.
- Server configuration group member is allowed to administer entries under and including the cn=configuration suffix in the CDBM backend.
See Administrative roles for more information.