I am attempting to provide a web service to my organization that will
allow a developer to request user adds/removals from a role using the
requestRolesAssignment SOAP call. Everything works fine with a service
account that is a role administrator, but I want to lock down the
service at a more fine grained level.

Here is my plan:
1. Create a service account in the vault (not a role admin)
2. In the UA, create an Administrator Assignment that allows this
service account to request user adds/removals for users from a specific
3. Give this service account to the developer

The first thing I did was explode the IDMProv.war and then explode
IDMfw.jar. I then modified the RoleService-conf/config.xml with the
following to allow just the add role requests:


I then recreated the jar and the war (jar -uvf). After restarting the
ua, I attempted to call requestRolesAssignment and got the following

NrfServiceException:<ns1:reason>Logged in user is not a Role Administrator.</ns1:reason>

Apparently, the service call still requires a role admin. This finally
leads me to the following questions:
What changes should I be making to the RoleService-conf/config.xml to
allow for non-role admin calls?
Once I get the the non-role admin service calls to work, will
Administrator Assignments on the service account be respected? Meaning,
will this service account only be able to act upon roles in which it has
administrator rights?


joelburke's Profile: https://forums.netiq.com/member.php?userid=9019
View this thread: https://forums.netiq.com/showthread.php?t=56509