Custom Tuning of ACIs in Legacy Mode

• Organizations

• Organizational Unit or Containers

• Groups

Organizations

The creation of the following roles and the related ACIs, every time an organization is created, can be eliminated:

• Organization Admin Role

• Organization Help Desk Admin Role

• Policy Admin Role

Eliminate the roles and the related ACIs by making a change to the DAI service in the /etc/opt/SUNWam/config/ums/ums.xml file.

You can selectively remove only one of these roles, instead of all of them:

<AttributeValuePair>
      <Attribute name="childNode" />
      <Value>PeopleContainer</Value>
      <Value>GroupContainer</Value>
      <Value>DefaultOrgRole</Value>
      <Value>DPOrgAdminRole</Value>
      <Value>DPOrgHelpDeskAdminRole</Value>
      <Value>DPOrgPolicyAdminRole</Value>
 </AttributeValuePair>

The above are lines 143-151 in the ums.xml file.

It is not possible to eliminate the creation of this role: People Admin Role.

Every time an organization is created, a default People container is created and along with the People container, this role is also created. If you do not need this role, you may delete this role from the Access Manager Console. That will clean up all the ACIs related to this role as well.

Organizational Unit or Containers

When a Container is created, the following roles are created by default:

• Container Admin Role

• Container Help-Desk Admin Role

• People Admin Role (for the default People container that is created)

The creation of the following roles and the related ACIs, every time an organization is created, can be eliminated:

• Container Admin Role

• Container Help Desk Admin Role

Eliminate the roles and the related ACIs by making the following changes to the DAI service in the /etc/opt/SUNWam/config/ums/ums.xml file.

You can selectively remove only one of these roles, instead of all of them:

<AttributeValuePair>
       <Attribute name="childNode" />
      <Value>PeopleContainer</Value>
      <Value>GroupContainer</Value>
      <Value>DPOrgUnitAdminRole</Value>
      <Value>DPOrgUnitHelpDeskAdminRole</Value>
 </AttributeValuePair>

The above are lines 170-175 in the /etc/opt/SUNWam/config/ums/ums.xml file.

It is not possible to eliminate the creation of this role: People Admin Role.

Every time an organization is created, a default People container is created and along with the People container, this role is also created. If you do not need this role, you may delete this role from the Access Manager Console. That will clean up all the ACIs related to this role as well.

Groups

To prevent the creation of the Group Admin Role and related ACIs every time a group is created, do the following in the Access Manager Console:

1. Choose the Admin Console Service from the Services Configuration tab.

2. Select Group Admin permission from the list of Dynamic Administrative role ACIs in the global configuration.

3. Delete this permission by clicking Remove.

4. Save the configuration change.

The roles and relates ACIs will no longer be created when a group is created.

None of the new groups will have this facility. The permission and role creation is deleted permanently.