If you require roles to be provisioned on Identity Manager to OpenSSO Enterprise, and you are using the Sun Access Manager Resource Adapter, then the OpenSSO Enterprise user data store must have the OpenSSO Enterprise schema loaded in it.
If the OpenSSO Enterprise data store plug-in for a generic LDAPv3 data store has no OpenSSO Enterprise schema in it, the data store plug-in does not support the management of either managed roles or filtered roles through it. The OpenSSO Enterprise data store plug-in is designed to work this way. It is important to note here that you do not have to provision roles in order to achieve single sign-on.
Because OpenSSO Enterprise is installed in the Realm mode of operation, the Identity Manager resource adapter for Realm mode, SunAccessManagerRealmResourceAdapter, must be configured on Identity Manager.
In earlier versions of OpenSSO Enterprise, previously known as Access Manager, the product was installed in the Legacy mode of operation. In Legacy mode, a different Identity Manager resource adapter, SunAccessManagerResourceAdapter, must be configured on Identity Manager. Both types of adapters have the same functionality with one difference. The SunAccessManagerResourceAdapter uses the legacy Access Manager AMSDK API, while the SunAccessManagerRealmResourceAdapter uses the OpenSSO Enterprise idRepo API. The idrepo APIs are the next-generation OpenSSO client APIs, and will eventually replace the legacy AMSDKAPI.