The most common directory you will make in Access Manager is the Primary directory, this is the standard user database that users will be taken from, if you wish to create directories for elevated users who will be managing user accounts or even Access Manager itself then you must create either a Helpdesk or Administration directory.
Helpdesk Directories provide elevated permissions for users from the directory, after logging in to their account they will be able to access the administrator interface with access to the administrator dashboard, identities page, and events page. This allows them to locate user accounts for unlocking or password reset.
Administration Directories provide full administration rights for Access Manager to the users in the directory.
To create a Helpdesk or Administration directory:
1. From the Directories page select the "Add New Connector" option.
2. Select the directory to be used from the list or manually create it.
3. On the Directory Configuration page set the usage option to Helpdesk or Administration.
If you are using Active Directory you should try to narrow down the active area, for example if only one OU holds all the users try setting that as the Base DN. Otherwise use the DN and Group filters to restrict the directory to only those users that should have elevated rights. SSH, Linux, and Solaris directories can also do this through changing the Minimum and Maximum UID settings to limit the range of users accounts.
4. Complete the directory configuration
With the new directory created your elevated users will be able to login with either their Helpdesk/Administrator account, or their Primary account, to reduce any potential confusion you can filter out the duplicate user accounts in the Primary directory and have these users only access the system through their Helpdesk/Administrator accounts.
1. Go to Primary directory configuration and open the Filters tab.
2. In the DN and Group filters remove the users that were added to the Helpdesk/Administration directory. The simplest method would be to duplicate the filters and use the opposite filter, anything that was included for the Helpdesk/Administration directory should be added to excluded filters and visa versa.
3. Save the configuration and synchronise the directory.
With this additional change the system will continue to accept unique names across all directories without the need for users to specify their directory at login.