Resolution
What is the SPA Users from All Managed and Trusted Domains ActiveView used for?
goal
Which user group has access to SPA?
fact
Directory and Resource Administrator 7.x
fact
Directory and Resource Administrator 8.0
fact
Secure Password Administrator 1.0
fix
The SPA Users from All Managed and Trusted Domains ActiveView contains all the user accounts you want to grant access to Secure Password Administrator (SPA). All the accounts included in this ActiveView can access and use SPA. By default, this ActiveView contains all the user accounts in the domains managed by Directory and Resource Administrator (DRA). You can limit access to SPA by removing accounts from this ActiveView. Excluded accounts cannot be added to a SPA profile. If you use the credentials of a member of the DRA Admins Assistant Admin (AA) group, SPA shares the powers of the DRA Assistant Admin. Therefore, excluding an account from the SPA Users from All Managed and Trusted Domains ActiveView does not ensure the account cannot be added to a SPA profile.
If you use a SPA override account, the setup program uses the credentials of a valid DRA Admins AA to complete the following tasks:
- Assigns the SPA override account the appropriate role (granting the ability to reset passwords, unlock and synchronize accounts).
- Includes the SPA override account in the SPA Admins AA group.
SPA uses the accounts in the SPA Admins AA group to perform the unlock and reset functions requested by validated user accounts. The SPA Admins AA group provides password reset and account unlock powers over the objects in the SPA Users from All Managed and Trusted Domains ActiveView. If a member of the DRA Admins AA group is used as the service account, the account already has the powers to reset passwords and unlock accounts.
For more information about DRA and the DRA security model, see the Administrator Guide for Directory and Resource Administrator.
For more information on the SPA Admins Assistant Admin group, see the NetIQ Knowledge Base article NETIQKB50305: "What is the SPA Admins Assistant group used for?" at https://www.netiq.com/kb/esupport/consumer/esupport?id=NETIQKB50305.
note
Using the account of a member of the DRA Admins AA group nullifies the inclusion and exclusion capabilities of the SPA ActiveView. Most SPA configurations require very little interaction with the SPA Admins AA group and SPA Role. Most of the DRA configuration centers on simply creating or removing user accounts with DRA and choosing to remove accounts automatically included in the SPA ActiveView.