I want to restrict an IDM driver to be able only to read a hand full of attributes from eDirectory (IDVault) including the nspmDistributionPassword.

So far I got it working only by assigning the driver - or better an organizational role object assigned to the driver - the supervisor right to all properties.

I am wondering if there is any more granular approch to enable a driver to read the distribution password.

During testing I added the driver and the organizational role to the ndspPasswordACL attribute of the password policy, but this did not work either.

Any idea?

BTW: I am just doing this, because of the official recommendations of NetIQ provided in the IDM classes ;-)

Kind regards,