Permissions Necessary To Modify Password Self-Service

Question

What permissions are necessary to give a Help Desk user the rights to modify all aspects (changing properties of a Policy, adding users to a policy, creating new policies, etc) of Password Self-Service

Thanks

Answer 1

Hello,

To be able to create and delete Password Self-Service Policies, a user needs to be granted the permission to create and delete objects of type PasswordSelfServicePolicy under the Password Self-Service Policies Container. To be able to modify Policies, the user needs to be granted the Full Control permission for objects of type PasswordSelfServicePolicy. Additionally, if you want to grant the user the permission to view Password Self-Service Statistics, you need to grant the user the View Password Self-Service Statistics permission for the PasswordSelfServiceStatistics object type. To create a Security Role that grants such permissions:

1. Create a new Security Role.
2. On the 2nd step of the Create Security Role wizard, click Add.
3. In the dialog that appears, switch the radio button to Only selected object types.
4. Select the Show all object types option.
5. Select the PasswordSelfServicePolicyContainer object type.
   
6. In the Operations on child objects section, select the Create Child Objects permission in the Allow column to allow creating new Password Self-Service Policies.
7. To allow deleting Password Self-Service Policies, select the Delete Child Objects permission in the Allow column.
8. Click the Select object types link.
9. Select the Show all object types option.
10. Select the PasswordSelfServicePolicy object type.
    
11. Click OK two times.
12. Click the Add button again.
13. In the dialog that appears, switch the radio button to Only selected object types.
14. Select the Show all object types option.
15. Select the PasswordSelfServicePolicy object type.
16. In the General permissions section, select the Full Control permission in the Allow column.
    
17. Click OK.
18. Click the Add button again.
19. In the dialog that appears, switch the radio button to Only selected object types.
20. Select the Show all object types option.
21. Select the PasswordSelfServiceStatistics object type.
22. In the General permissions section, select the View Password Self-Service Statistics permission in the Allow column.
    
23. Click OK.
24. On the 3rd step, assign the Security Role to the users who need this permission and include Configuration Objects in the Assignment Scope of the Role.