I was setting up an iManager role, and noticed during member association
that there was a "rights advisory" warning, that the role had supervisory
rights.

It's the role for checking PWSynch Status across IDM Drivers. (Not sure I
have the name exactly right, but accurate enough for the question.)

I have discovered that the occupants of the role (whether directly assigned
a "member association" or as members of a group that is assigned as a
member) receive full administrator privileges to the tree via ConsoleOne.
This
is too big a hole to ignore. I guess that's why there is a warning.

Surely a set of rights can be tailored to allow read-only access to the
password synch status without having to grant full supervisory rights to the
tree (or even to the root container the role is associated with)...

Right?

So the question: What are the attributes that a person must be able to see,
and across what container scope, in order to be able to view the
PasswordSyncStatus? I want to tailor the rights being granted to this role
to eliminate the security risk.

Grateful for any advice/assistance in identifying the required set of
attributes,

Rob.