Directory Service Users and Roles

Privileged Access Service provides two predefined roles:

  • System Administrator

  • Everybody

The account used to log on for the first time is a Privileged Access Service service user account and is automatically made a member of the System Administrator role with all administrative rights. Roles control what different sets of users can do and you can add roles to define the policies that apply to different groups of users.

By default, all new Privileged Access Service service users are added to the Everybody role.

Roles are a key element for all of the Privileged Access Service you choose to deploy. For example, the Privileged Access Service assigns applications and applies administrative rights based on role membership. For more information about how role membership affects user access and how policies are applied, see Adding Privileged Access Service Users.

If all of your users are going to be Privileged Access Service users, the next step is to begin adding account information for those users to the Privileged Access Service service.

If you are using another identity store—such as Active Directory or another LDAP-based service—for all or some of your user accounts, the next step is to install a connector to point to that identity store. For more information about installing a connector, see Installing a IBM Security Connector. For more information about using different identity stores, see Selecting an Identity Repository.

Selecting an Identity Repository

Privileged Access Service requires an identity repository for storing user data and authenticating these users. You can use either or both of the following:

  • IBM Security Directory: Privileged Access Service includes this built-in identity repository. With this option, we use the Privileged Access Service account to authenticate users and, if you are using the Privileged AccessService for mobile device management, to store the registered device records.

  • Active Directory/LDAP: Privileged Access Service securely connects with your existing Active Directory/LDAP infrastructure through the IBM Security Connectorto authenticate users when they log in to the web portals and registerdevices. Privileged Access Service does not replicate Active Directory/LDAP accounts or attributes in the Privileged Access Service.

If your organization is heavily invested in Active Directory/LDAP, you can continue to use it as your primary identity store and use the same tools (for example, Active Directory Users and Computers) to manage users and mobile devices.

You can use both identity stores simultaneously, too. For example, if you decide to use Active Directory/LDAP as your primary identity store, the Privileged Access Service can provide a convenient supplemental repository for the following types of users:

  • Emergency administrators: If there is ever a network break down to the Active Directory domain controller, no one with just an ActiveDirectory/LDAP account can log in. However, if you create administratoraccounts in Privileged Access Service, these users can log in to Admin Portal launch web applications.

  • Temporary user: Some organization’s security policy can make adding a short-term user to Active Directory/LDAP a complex and time-consuming task.If you have a temporary worker who needs access to just the applications youdeploy through the Privileged Access Service, it may be simpler to add the account to Privileged Access Service.

  • Contractors or less-trusted users: Sometimes you do not want users to have the full set of privileges and access rights an Active Directory/LDAPaccount provides. In this case, you create the account in the Privileged Access Service only.

To avoid users logging in to unintended repository accounts and other account related confusion, we recommend that you do not create duplicate accounts (same user name/password) in both the IBM Security Directory and Active Directory/LDAP.