The creation of the following roles and the related ACIs, every time an organization is created, can be eliminated:
Organization Admin Role
Organization Help Desk Admin Role
Policy Admin Role
Eliminate the roles and the related ACIs by making a change to the DAI service in the /etc/opt/SUNWam/config/ums/ums.xml file.
You can selectively remove only one of these roles, instead of all of them:
<AttributeValuePair> <Attribute name="childNode" /> <Value>PeopleContainer</Value> <Value>GroupContainer</Value> <Value>DefaultOrgRole</Value> <Value>DPOrgAdminRole</Value> <Value>DPOrgHelpDeskAdminRole</Value> <Value>DPOrgPolicyAdminRole</Value> </AttributeValuePair>
The above are lines 143-151 in the ums.xml file.
It is not possible to eliminate the creation of this role: People Admin Role.
Every time an organization is created, a default People container is created and along with the People container, this role is also created. If you do not need this role, you may delete this role from the Access Manager Console. That will clean up all the ACIs related to this role as well.
When a Container is created, the following roles are created by default:
Container Admin Role
Container Help-Desk Admin Role
People Admin Role (for the default People container that is created)
The creation of the following roles and the related ACIs, every time an organization is created, can be eliminated:
Container Admin Role
Container Help Desk Admin Role
Eliminate the roles and the related ACIs by making the following changes to the DAI service in the /etc/opt/SUNWam/config/ums/ums.xml file.
You can selectively remove only one of these roles, instead of all of them:
<AttributeValuePair> <Attribute name="childNode" /> <Value>PeopleContainer</Value> <Value>GroupContainer</Value> <Value>DPOrgUnitAdminRole</Value> <Value>DPOrgUnitHelpDeskAdminRole</Value> </AttributeValuePair>
The above are lines 170-175 in the /etc/opt/SUNWam/config/ums/ums.xml file.
It is not possible to eliminate the creation of this role: People Admin Role.
Every time an organization is created, a default People container is created and along with the People container, this role is also created. If you do not need this role, you may delete this role from the Access Manager Console. That will clean up all the ACIs related to this role as well.
To prevent the creation of the Group Admin Role and related ACIs every time a group is created, do the following in the Access Manager Console:
Choose the Admin Console Service from the Services Configuration tab.
Select Group Admin permission from the list of Dynamic Administrative role ACIs in the global configuration.
Delete this permission by clicking Remove.
Save the configuration change.
The roles and relates ACIs will no longer be created when a group is created.
None of the new groups will have this facility. The permission and role creation is deleted permanently.