4.2 About Delegating the Identity Store

The Access Manager System Identity Store is used to enforce authentication and authorization during the execution of administrative operations.

The LDAP Directory defined as the System Identity Store will contain all the administrators having access to the Administration Console. An administrator can define a new User Identity Store and select one of the existing profiles as the System Identity Store but only the System Administrator can modify the current System Identity Store or switch to a new one.

When migrating to a new Identity Store, if users from the new store are assigned Access Manager roles, those privileges become active and are enforced by Access Manager. The administrator will be responsible for removing any delegated administration privileges for the new Identity Store and the Access Manager Administrator group will be mapped to the Administrator role of the new identity store.


If the user currently logged in does not have the necessary administrator roles in the new system store, the Administration Console will log out or refresh so that it is compliant with the roles assigned to the current administrator.