Required Permissions for Delta Aggregation
You must give the service account additional both of the additional permissions to support delta aggregation.
To provide the additional permissions, complete the following:
-
To provide Replicating directory changes permissions to the service account.
-
In the Active Directory Users and Computers browser menu, select View, and then right-click and select the Advanced features checkbox.
-
Right-click the domain node and select property, and then open the Security tab.
-
Add the user to the list of Security Principals.
-
Select the user and select the Allow checkbox for Replicating Directory Changes permission.
-
-
To provide Read permissions on the Deleted Object Container to the service account.
-
Log on to any domain controller in the target domain with a user account that is a member of the Domain Administrators group.
-
Open a command prompt. Enter the following command:
dsacls "Deleted objects container DN" /takeownershipIn the above command, the Deleted objects container DN is the distinguished name of the deleted objects container. For example,dsacls "CN=Deleted Objects,DC=SailPoint,DC=Com" /takeownership -
Press the Enter key.
-
To grant Read permission to the objects in the Deleted Objects container to a user type, enter the following command:
dsacls "Deleted objects container DN" /G domainName\userName:LCRPIn the above command, LCRP stands for the list object and read properties permission. For example,
dsacls "CN=Deleted Objects,DC=SailPoint,DC=Com" /G SailPoint\John:LCRP -
Press the Enter key.
-