I want to expose the Password Sync Status portlet to our helpdesk, so
that they can check the status for other users. The doc sort-of covers
setting this up:

The members of a group called PasswordManagement are also automatically
allowed to view the password synchronization status of other users. This
group does not exist by default. If you choose to create this group, it
must be:

* Named PasswordManagement.
* Given privileges to the Identity Vault. The group must have rights
to read the user's eDirectory object attribute for users
whose password synchronization status they need to view.

I'm not thrilled with the hardcoded group name here, but I can work with
it. It would be better if I could specify the group name. But, what I
need to know is what rights this group requires. The doc says "read the
user's eDirectory object attribute" which is nonsensical.

I tried to post this as a comment on the documentation page, but it
doesn't show up there so I don't know if somebody has to read and
approve the comment first or where my comment went.

David Gersic dgersic_@_niu.edu

I'm tired of receiving rubbish in my mailbox, so the E-mail address is
munged to foil the junkmail bots. Humans will figure it out on their own.