Go to the organization where the Role will be created.
Click the Roles tab.
A set of default roles are created when an organization is configured, and are displayed in the Roles list. The default roles are:
Container Help Desk Admin. The Container Help Desk Admin role has read access to all entries in an organizational unit and write access to the userPassword attribute in user entries only in this container unit.
Organization Help Desk Admin. The Organization Help Desk Administrator has read access to all entries in an organization and write access to the userPassword attribute.
When a sub organization is created, remember that the administration roles are created in the sub organization, not in the parent organization.
Container Admin. The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.
Organization Policy Admin. The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that organization.
People Admin. By default, any user entry in an newly created organization is a member of that organization. The People Administrator has read and write access to all user entries in the organization. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the organization has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.
Group Admin. The Group Administrator created when a group is created has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created.
When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group’s creator, or anyone that has access to the Group Administrator Role.
Top-level Admin. The Top-level Administrator has read and write access to all entries in the top-level organization. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.
Organization Admin. The Organization Administrator has read and write access to all entries in an organization. When an organization is created, the Organization Admin role is automatically generated with the necessary privileges to manage the organization.
Click the New Static button.
Enter a name for the role.
Enter a description of the role.
Choose the role type from the Type menu.
The role can be either an Administrative role or a Service role. The role type is used by the console to determine and here to start the user in the Access Manager console. An administrative role notifies the console that the possessor of the role has administrative privileges; the service role notifies the console that the possessor is an end user.
Choose a default set of permissions to apply to the role from the Access Permission menu. The permissions provide access to entries within the organization. The default permissions shown are in no particular order. The permissions are:
No permissions are to be set on the role.
The Organization Administrator has read and write access to all entries in the configured organization.
The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.
The Organization Policy Administrator has read and write access to all policies in the organization. The Organization Policy Administrator can not create a referral policy to a peer organization.
Generally, the No Permissions ACI is assigned to Service roles, while Administrative roles are assigned any of the default ACIs.