If you want to create policy agent profiles when installing policy agents, then you need the credentials of an OpenAM user who can read and write agent profiles.
You can use the OpenAM administrator account when creating policy agent profiles. If however you delegate policy agent installation, then you might not want to share OpenAM administrator credentials with everyone who installs policy agents.
Follow these steps to create agent administrator users for a realm.
-
In OpenAM console, browse to Access Control >
Realm Name> Subjects. -
Under Group click New... and create a group for agent administrators.
-
Switch to the Privileges tab for the realm, and click the name of the group you created.
-
Select "Read and write access to all configured Agents," and then Save your work.
-
Return to the Subjects tab, and under User create as many agent administrator users as needed.
-
For each agent administrator user, edit the user profile.
Under the Group tab of the user profile, add the user to agent profile administrator group, and then Save your work.
-
Provide each system administrator who installs policy agents with their agent administrator credentials.
When installing the policy agent with the
--custom-installoption, the system administrator can choose the option to create the profile during installation, and then provide the agent administrator user name and the path to a read-only file containing the agent administrator password.
