How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I add privileges to identity groups in AM (All versions)?

Last updated Mar 18, 2021

The purpose of this article is to provide information on adding privileges to identity groups in AM. It also includes specific details on creating an admin user with similar privileges to the amAdmin user. You can also create an admin user who can do CRUD operations using the REST API. This allows you to have a user other than amAdmin who can Create, Read, Update and Delete Users.


4 readers recommend this article

Overview

You can add privileges to identity groups using the console, REST or ssoadm as detailed in this article. You cannot do this via Amster: OPENAM-11568 (Can't export privileges using Amster).

The following examples demonstrate adding privileges to an admin user but the same concepts apply to all users:

See Security Guide › Delegating Privileges for further information on the different privileges available.

Admin users

You can create other admin users with similar privileges to the amAdmin user by delegating administration, but you should be aware that these users will not function in exactly the same way as the amAdmin user. Some aspects of the amAdmin functionality is hard-coded and therefore only applies to the amAdmin user. From Security Guide › About the amAdmin User:

The built-in amAdmin account cannot be disabled, deleted, or renamed, since it is hard-coded in the source code of several files.

You can also create users with differing levels of access according to what privileges you assign them; however, it is not possible to create a user who only has Read-only access to the console. Alternatively, you can make the whole data store read-only as described in How do I make a whole user data store read-only to users in AM (All versions)?

Creating an admin user (console)

You can create an admin user as follows:

  1. Create the user who you want to make the admin user if they do not already exist:
    • AM 6 and later console: navigate to: Realms > [Realm Name] > Identities, click Add Identity and enter details for the user.
    • Pre-AM 6 console: navigate to: Realms > [Realm Name] > Subjects, click New and enter details for the user.
  2. Create a new group to represent this type of admin user:
    • AM 6 and later console: navigate to: Realms > [Realm Name] > Identities > Groups, click Add Group and enter an ID for the group.
    • Pre-AM 6 console: navigate to: Realms > [Realm Name] > Subjects > Group, click New and enter an ID for the group.
  3. Add your admin user to this new group:
    • AM 6 and later console: navigate to: Realms > [Realm Name] > Identities > Groups > [Group Name] and add the user you created in step 1 as a member.
    • Pre-AM 6 console: navigate to: Realms > [Realm Name] > Subjects > [Admin User] > Group and add the group you created in step 2.
  4. Give this group the required privileges:
    • AM 6 and later console: navigate to: Realms > [Realm Name] > Identities > Groups > [Group Name] > Privileges and enable the required privileges. For full read and write access (including via the REST API), enable Realm Admin.
    • Pre-AM 6 console: navigate to: Realms > [Realm Name] > Privileges > [Group Name] and select the required privilege. For full read and write access (including via the REST API), select the Read and write access to all realm and policy properties option.

You should ensure that the corresponding user account on the directory server has sufficient privileges. If you're using DS, see Security Guide › Administrative Privileges for further information.

Creating an admin user (REST)

Note

Please observe the following when constructing REST calls:

  • Make the REST call to the actual AM server URL (not lb).
  • Change the name of the iPlanetDirectoryPro header to the name of your actual session cookie.
  • Set this session cookie header to the token returned when you authenticated.
  • Ensure the Accept-API-Version header contains a valid resource version.

See How do I avoid common issues with REST calls in AM (All versions)? for further information.

You can create an admin user as follows:

  1. Authenticate as an admin user. For example: $ curl -X POST -H "X-OpenAM-Username: amadmin" -H "X-OpenAM-Password: cangetinam" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?authIndexType=service&authIndexValue=adminconsoleserviceExample response: { "tokenId": "AQIC5wM2LY4SfcxsuvGEjcsppDSFR8H8DYBSouTtz3m64PI.*AAJTSQACMDIAAlNLABQtNTQwMTU3NzgxODI0NzE3OTIwNAEwNDU2NjE0*", "successUrl": "/openam/console", "realm": "/" }
  2. Create the user who you want to make the admin user if they do not already exist. For example: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: protocol=2.1,resource=3.0" -d'{    "username": "newAdmin",     "userpassword": "password",     "mail": "new.admin@example.com" }' http://host1.example.com:8080/openam/json/realms/root/users/?_action=createExample response (this has been truncated due to the size of response): {    "username": "newAdmin",     "realm": "/",     "uid": [         "newAdmin"     ],     "mail": [         "new.admin@example.com"     ],     "universalid": [         "id=newAdmin,ou=user,dc=openam,dc=forgerock,dc=org"     ] ... }
  3. Create a new group to represent this type of admin user. For example: $ curl -X POST -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: resource=1.0" -d'{    "username":"newGroup" }' http://host1.example.com:8080/openam/json/realms/root/groups?_action=createExample response: {    "_id": "newGroup",     "_rev": "-2076885525",     "username": "newGroup",     "realm": "/",     "universalid": [         "id=newGroup,ou=group,dc=openam,dc=forgerock,dc=org"     ],     "dn": [         "cn=newGroup,ou=groups,dc=openam,dc=forgerock,dc=org"     ],     "cn": [         "newGroup"     ],     "objectclass": [         "top",         "groupofuniquenames"     ] }
  4. Add your admin user to this new group ensuring you use the appropriate attribute for your Identity repository. For example, if you use DS, you would specify the user using the uniqueMember attribute: $ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: protocol=1.0,resource=1.0" -d'{    "uniquemember":[         "uid=newAdmin,ou=user,dc=openam,dc=forgerock,dc=org"     ] }' http://host1.example.com:8080/openam/json/realms/root/groups/newGroupExample response: {    "username": "newGroup",     "realm": "/",     "universalid": [         "id=newGroup,ou=group,dc=openam,dc=forgerock,dc=org"     ],     "dn": [         "cn=newGroup,ou=groups,dc=openam,dc=forgerock,dc=org"     ],     "uniqueMember": [         "uid=newAdmin,ou=user,dc=openam,dc=forgerock,dc=org"     ],     "cn": [         "newGroup"     ],     "objectclass": [         "top",         "groupofuniquenames"     ] }
  5. Retrieve details for the new group to obtain a list of possible privileges and the current settings. For example: $ curl -X GET -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" http://host1.example.com:8080/openam/json/realms/root/groups/newGroupExample response: {    "_id": "newGroup",     "_rev": "493767983",     "username": "newGroup",     "realm": "/",     "universalid": [         "id=newGroup,ou=group,dc=openam,dc=forgerock,dc=org"     ],     "members": {         "uniqueMember": [             "newAdmin"         ]     } ...     "privileges": {         "RealmAdmin": false,         "LogAdmin": false,         "LogRead": false,         "LogWrite": false,         "AgentAdmin": false,         "FederationAdmin": false,         "RealmReadAccess": false,         "PolicyAdmin": false,         "EntitlementRestAccess": false,         "PrivilegeRestReadAccess": false,         "PrivilegeRestAccess": false,         "ApplicationReadAccess": false,         "ApplicationModifyAccess": false,         "ResourceTypeReadAccess": false,         "ResourceTypeModifyAccess": false,         "ApplicationTypesReadAccess": false,         "ConditionTypesReadAccess": false,         "SubjectTypesReadAccess": false,         "DecisionCombinersReadAccess": false,         "SubjectAttributesReadAccess": false,         "SessionPropertyModifyAccess": false     } }
  6. Give this group the required privileges. You should use the above output for the data option but remove the _rev attribute, the objectclass attribute and the dn attribute, and set the required privileges to true. For example (with "RealmAdmin": true):$ curl -X PUT -H "iPlanetDirectoryPro: AQIC5wM2LY4Sfcxs...EwNDU2NjE0*" -H "Content-Type: application/json" -H "Accept-API-Version: protocol=2.0,resource=4.0" -d'{    "_id": "newGroup",     "username": "newGroup",     "realm": "/",     "universalid": [         "id=newGroup,ou=group,dc=openam,dc=forgerock,dc=org"     ],     "members": {         "uniqueMember": [             "newAdmin"         ]     },     "cn": [         "newGroup"     ],     "privileges": {         "RealmAdmin": true,         "LogAdmin": false,         "LogRead": false,         "LogWrite": false,         "AgentAdmin": false,         "FederationAdmin": false,         "RealmReadAccess": false,         "PolicyAdmin": false,         "EntitlementRestAccess": false,         "PrivilegeRestReadAccess": false,         "PrivilegeRestAccess": false,         "ApplicationReadAccess": false,         "ApplicationModifyAccess": false,         "ResourceTypeReadAccess": false,         "ResourceTypeModifyAccess": false,         "ApplicationTypesReadAccess": false,         "ConditionTypesReadAccess": false,         "SubjectTypesReadAccess": false,         "DecisionCombinersReadAccess": false,         "SubjectAttributesReadAccess": false,         "SessionPropertyModifyAccess": false     }  } }' http://host1.example.com:8080/openam/json/realms/root/groups/newGroupThe response returned is the same as in step 5 but with the updated privileges.

The new admin user now has access according to the privileges assigned to them. If you gave them full read and write access, they have full read and write access to the console and can also create, read, update and delete users via the REST API using curl commands such as the ones detailed in Setup Guide › Identity Management.

You should ensure that the corresponding user account on the directory server has sufficient privileges. If you're using DS, see Security Guide › Administrative Privileges for further information.

Creating an admin user (ssoadm)

For full read and write access (including via the REST API) you should use RealmAdmin for the [privilegename] in step 4. Delegated administrators with the RealmAdmin privilege can also access full console functionality within the realms they can administer. In addition, delegated administrators in the top level realm who have this privilege can access the global configuration.

See Security Guide › Delegating Privileges for further information on the different privileges available and the equivalent privilege name for use with the ssoadm add-privileges command.

You can create an admin user as follows:

  1. Create the user who you want to make the admin user if they do not already exist by entering the following command: $ ./ssoadm create-identity -e [realmname] -u [adminID] -f [passwordfile] -i [username] -t User -a userpassword=[userpassword]replacing [realmname], [adminID], [passwordfile], [username] and [userpassword] with appropriate values. The userpassword attribute is appropriate if you are using DS for your identity repository (user store); if you are using a different directory server, you will need to use the relevant attribute for user password.
  2. Create a new group to represent this type of admin user by entering the following command: $ ./ssoadm create-identity -e [realmname] -u [adminID] -f [passwordfile] -i [groupname] -t Groupreplacing [realmname], [adminID], [passwordfile] and [groupname] with appropriate values.
  3. Add your admin user to this new group by entering the following command: $ ./ssoadm add-member -e [realmname] -u [adminID] -f [passwordfile] -i [groupname] -t Group -m [username] -y Userreplacing [realmname], [adminID], [passwordfile], [groupname] and [username] with appropriate values.
  4. Give this group the required privileges by entering the following command:$ ./ssoadm add-privileges -e [realmname] -u [adminID] -f [passwordfile] -i [groupname] -t Group -g [privilegename]replacing [realmname], [adminID], [passwordfile], [groupname] and [privilegename] with appropriate values.​

The new admin user now has access according to the privileges assigned to them. If you gave them full read and write access, they have full read and write access to the console and can also create, read, update and delete users via the REST API using curl commands such as the ones detailed in Setup Guide › Identity Management.

You should ensure that the corresponding user account on the directory server has sufficient privileges. If you're using DS, see Security Guide › Administrative Privileges for further information.

See Also

How do I understand what privileges apply to amAdmin and delegated administrators in AM (All versions)?

FAQ: Users in AM

Administrator and user accounts in AM

Security Guide › Delegating Privileges

Setup Guide › Identity Management

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs

OPENAM-13339 (Custom Admin can't view SAML or configuration tab)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.