Limit user account management to the User Manager role
By default, both the Administrator role and the User Manager role have privileges to create and manage DPA user accounts. To enforce a strict separation of duties, you can remove user account management privileges from the Administrator role. Only users with the User Manager role will be able to manage user accounts.
Open the following file in a text editor:
Set the following property to
Save the file and restart DPA.
Assign the User Manager role to one or more DPA user accounts.
strictSeparationOfDuties property is set to
true and at least one DPA user is assigned the User Manager role, the Administrator role does not have privileges to create and manage user accounts.
After you complete this procedure, Administrator role privileges vary depending on whether the User Manager role is assigned. This ensures that at least one DPA user has account management privileges:
If any DPA user is assigned the User Manager role, then the Administrator role does not have privileges to create and manage user accounts.
If the User Manager role is not assigned to any user, then the Administrator role does have user account management privileges.
The Repository Owner always retains user account management privileges, regardless of whether the User Manager role is assigned.