How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I make a whole user data store read-only to users in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on making a whole user data store read-only to users in AM when the user data store is being accessed via the LDAP identity repository plug-in. You would do this if you want to prevent users in AM from creating, changing or deleting user entries in the data store.


2 readers recommend this article

Making a user data store read-only

You can make a user data store read-only to all users in AM (by making these changes against the top level realm) or to a subset of users (by making these changes to a realm). You cannot make the user data store read-only for individual users.

You can make these changes using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Data Stores > [Data Store Name] > Plug-in Configuration > LDAPv3 Plug-in Supported Types and Operations and remove the user=read,create,edit,delete,service value. Add a new value of user=read,service.
  • ssoadm:
    1. Create a data file (called DATA_FILE to match the next command) with the following contents: The realm and group settings shown are default settings; if you have already changed these, you should substitute your values instead to ensure your changes are not lost. sunIdRepoSupportedOperations=user=read,service sunIdRepoSupportedOperations=realm=read,create,edit,delete,service sunIdRepoSupportedOperations=group=read,create,edit,delete,service​
    2. Enter the following command: $ ./ssoadm update-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile] -D DATA_FILEreplacing [realmname], [datastorename], [adminID] and [passwordfile] with appropriate values. If you are making changes against the top level realm, you must specify -e /

You can check the settings for the data store to ensure the changes are as expected using the following command:

$ ./ssoadm show-datastore -e [realmname] -m [datastorename] -u [adminID] -f [passwordfile]

replacing [realmname], [datastorename], [adminID] and [passwordfile] with appropriate values. If you are making changes against the top level realm, you must specify -e /

Note

You can also do this by specifying access control to the directory itself in DS as described in: Security Guide › Access Control​; this is the recommended approach.

See Also

How do I make individual user profile attributes read-only in AM (All versions)?

How do I create a user data store in AM (All versions) using ssoadm?

How do I understand what the user data store is used for in AM (All versions)?

Setup Guide › About the Identity Repository Plugin

Security Guide › Access Control

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.