cancel
Showing results for 
Search instead for 
Did you mean: 

Authorization needed for service user connecting to AD

former_member192665
Participant
0 Kudos

Hi,

I was asked by a customer: When I'm connecting Active Directory to SAP ID Mgmt which AD authorizations do I need to give to the technical user I'm using to connect with? Domain Admin is not acceptable and it must be possible to create/modify users with less than domain admin authorizations. I couldn't find anything in the official documents about this. Can anyone comment?

Thanks

Kai

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
0 Kudos

Kai, for changing passwords, I usually use a domain admin account. However it really depends on how permissions are set up on the domain. There will be a need for higher authorizations if you are going cross domain,  the AD administrator should be able to work with you on createing an account with sufficient permissions.  You might also be able to get them to piggy back an existing service account for use by IDM although this is not a best practice for compliance reasons.

Regardless, for IDM the account must be able to create update and delete users. If the client is using AD 2008 in pure mode you can also compromise by giving the service account rights to only the necessary containers.

Matt

Answers (2)

Answers (2)

Former Member
0 Kudos

I know this is old, but its still unanswered.  They only need READ access, which is the same level of access an end-user in the domain has.  No special authorizations are necessary.

jaisuryan
Active Contributor
0 Kudos

Hi Leonard,

So you dint want IDM to provision users, group assignments to AD?

BR, Jaisuryan

jared_kobe
Participant
0 Kudos

Kai,

Another Built-In Group in AD that may be useful for you is Account Operators. This group typically has the rights to create/edit/delete/change password on all users that are not Domain Admins. You might want to check and see if they will let you put your service account in that group instead.

Otherwise, I would follow Matt's advice and see if they will give you full access to a select set of OUs and containers instead of the the entire domain. Even in a non-2008 system, I believe this can be accomplished through GPOs.

Jared