Insufficent permissions when users try to update thier profile

[Kacie Stevens]

Hi, I am getting the following error when users try to update their profile.  

An LDAP data error has occurred. { 5079 ERROR_LDAP_DATA_ERROR (error setting 'mail' attribute on user CN=xxxx xxxxx,CN=Users,DC=starshipfrontier,DC=org, error: javax.naming.NoPermissionException: [LDAP: error code 50 - 00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
]) }

Domain Admins can edit and update their profile just fine.  what access do I need to set or change so that users can update their own profile?

[Jason Rivard]

You can go to PWM's config manager page and click LDAP Permissions to get a report on what permissions are required based on your specific configuration.

[Kacie Stevens]

here is what the report shows:

Download as CSV

This report shows recommended LDAP permission requirements for the current configuration. Depending on your LDAP directory type, these may be referred to as permissions, rights, or ACLs (Access Control List).

These recommendations should be applied with caution and with an understanding of the security model of your specific LDAP directory environment. The suggested permissions may not neccessarily be appropriate for your environment. The access levels read and write are generalizations. Your LDAP directory may use different permission types.

There may be additional permissions required that do not appear on this report. For example, permissions required to resolve macro expressions are not included.

Attribute PermissionsProxy User ⇨ All

Permissions required by the LDAP proxy user (defined by the setting LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy User). The proxy user will require these attribute permissions for any user entry that authenticates to PWM.

Attribute Name
Access
Associated Configuration Setting
[User Password]
write
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Forgotten Password

cn
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP Naming Attribute
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

givenName
read
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

mail
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ User Email Attribute
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form

memberOf
read
Modules ⇨ Authenticated ⇨ Administration ⇨ Administrator Permission
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Profile Match
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Match

pwmData
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Application Data Attribute

pwmEventLog
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ User History LDAP Attribute

pwmOtpSecret
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

pwmOtpSecret
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

sAMAccountName
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Attribute to use for User Name
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Form
Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activate User Form

sn
read
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

Self ⇨ Self

Permissions required by logged in users. Each logged in user should have these permissions against their own LDAP entry for these attributes.

Attribute Name
Access
Associated Configuration Setting
City
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

Zip
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

[User Password]
write
n/a

mail
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

pwmOtpSecret
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

state
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

street
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

telephoneNumber
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

title
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

Self ⇨ Others

Permissions required by the loggied in user to other users, as appropriate.

Attribute Name
Access
Associated Configuration Setting
assistant
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Assistant Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

businessCategory
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

company
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

directReports
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Child Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

employeeStatus
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

employeeType
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

fullName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

givenName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

l
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

mail
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

manager
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Parent Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

memberOf
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Permitted Users

ou
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

photo
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP Photo Attribute

physicalDeliveryOfficeName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

sn
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

st
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

street
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

telephoneNumber
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes

title
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

workforceID
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Workforce ID Attribute

Help Desk Operator ⇨ Others

Permissions required by logged in user while using the Help Desk module. The logged in user should have these attribute permissions to the LDAP entries of the user's being administered via the Help Desk module. This is typically done using an LDAP group or permission-role object to assign permissions.

Attribute Name
Access
Associated Configuration Setting
[User Password]
write
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings ⇨ Enable Help Desk Module

businessCategory
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

cn
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

company
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

employeeStatus
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

employeeType
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

fullName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

givenName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

initials
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

l
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

mail
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

ou
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

physicalDeliveryOfficeName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

postalCode
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Verification ⇨ Verification Attributes

preferredName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

sAMAccountName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

sn
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

st
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

street
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

telephoneNumber
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

title
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

uid
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

userPrincipalName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

workforceID
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

Download as CSV

This report shows recommended LDAP permission requirements for the current configuration. Depending on your LDAP directory type, these may be referred to as permissions, rights, or ACLs (Access Control List).

These recommendations should be applied with caution and with an understanding of the security model of your specific LDAP directory environment. The suggested permissions may not neccessarily be appropriate for your environment. The access levels read and write are generalizations. Your LDAP directory may use different permission types.

There may be additional permissions required that do not appear on this report. For example, permissions required to resolve macro expressions are not included.

Attribute PermissionsProxy User ⇨ All

Permissions required by the LDAP proxy user (defined by the setting LDAP ⇨ LDAP Directories ⇨ [profile] ⇨ Connection ⇨ LDAP Proxy User). The proxy user will require these attribute permissions for any user entry that authenticates to PWM.

Attribute Name
Access
Associated Configuration Setting
[User Password]
write
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Enable Forgotten Password

cn
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP Naming Attribute
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

givenName
read
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

mail
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ User Email Attribute
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form

memberOf
read
Modules ⇨ Authenticated ⇨ Administration ⇨ Administrator Permission
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Profile Match
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Match

pwmData
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Application Data Attribute

pwmEventLog
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ User History LDAP Attribute

pwmOtpSecret
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

pwmOtpSecret
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

sAMAccountName
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Attribute to use for User Name
Modules ⇨ Public ⇨ Forgotten Password ⇨ Settings ⇨ Forgotten Password User Search Form
Modules ⇨ Public ⇨ User Activation ⇨ Settings ⇨ Activate User Form

sn
read
Modules ⇨ Public ⇨ Forgotten User Name ⇨ Forgotten User Name Form
Policies ⇨ Password Policies ⇨ default ⇨ Disallowed Attributes

Self ⇨ Self

Permissions required by logged in users. Each logged in user should have these permissions against their own LDAP entry for these attributes.

Attribute Name
Access
Associated Configuration Setting
City
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

Zip
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

[User Password]
write
n/a

mail
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

pwmOtpSecret
write
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ OTP Secret LDAP Attribute

state
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

street
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

telephoneNumber
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

title
write
Modules ⇨ Authenticated ⇨ Update Profile ⇨ Update Profile Profiles ⇨ default ⇨ Update Profile Form

Self ⇨ Others

Permissions required by the loggied in user to other users, as appropriate.

Attribute Name
Access
Associated Configuration Setting
assistant
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Assistant Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

businessCategory
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

company
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

directReports
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Child Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

employeeStatus
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

employeeType
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

fullName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

givenName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

l
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

mail
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

manager
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Parent Attribute
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

memberOf
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Permitted Users

ou
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

photo
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP Photo Attribute

physicalDeliveryOfficeName
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

sn
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

st
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

street
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes

telephoneNumber
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes

title
read
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Detail Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ People Search Profiles ⇨ default ⇨ Search Result Attributes
Modules ⇨ Authenticated ⇨ People Search ⇨ Search Attributes

workforceID
read
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Organizational Chart Workforce ID Attribute

Help Desk Operator ⇨ Others

Permissions required by logged in user while using the Help Desk module. The logged in user should have these attribute permissions to the LDAP entries of the user's being administered via the Help Desk module. This is typically done using an LDAP group or permission-role object to assign permissions.

Attribute Name
Access
Associated Configuration Setting
[User Password]
write
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Settings ⇨ Enable Help Desk Module

businessCategory
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

cn
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

company
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

employeeStatus
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

employeeType
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

fullName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

givenName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

initials
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

l
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

mail
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

ou
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

physicalDeliveryOfficeName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

postalCode
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Verification ⇨ Verification Attributes

preferredName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

sAMAccountName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

sn
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

st
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

street
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

telephoneNumber
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

title
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

uid
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form

userPrincipalName
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Attributes
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Search Results

workforceID
read
Modules ⇨ Authenticated ⇨ Help Desk ⇨ Profiles ⇨ default ⇨ Details ⇨ Help Desk Detail Form


What permissions in Active Directory do the standard users need to be able to update their own profile via pwm?

[Jason Rivard]

I'm sorry there isn't a generic answer to your question.  You will need to read through the report, taking in mind the section for profile updates, and apply that to your AD environment.  If you are not familiar with the AD permission model you will need to spend some time learning about it and should possibly consult an expert.  Mis-configuring AD permissions can cause serious security issues.