The best way to determine what works best is:
a) assign some of the 'canned roles' to a testadmin user:
(Token Distributor and Auth Mgr Token Administrator are the two I worked with)
b) Log in as that test admin user, and view 'My Permissions' at the top right
c) Now by seeing what the canned roles contain, you can build a new empty role, and just check off what
you need to allow, or remove items you do not want that the canned roles might have had. Or just use
the canned roles themselves.
**adding VIEW permissions is the major gotcha for some roles that don't seem work work correctly.
Might need to be able to view items on a page even if you don't need to manage that particular item in this role.
-------------------------------------------------------------------------------------------------------------
This is a 'good generic list' that should allow you to do what you asked:
SecurID Tokens View
SecurID Tokens: Assign Tokens Yes
SecurID Tokens: Distribute Software Tokens Yes
SecurID Tokens: Enable/Disable Tokens Yes
SecurID Tokens: Manage Token Offline Emergency Access Yes
SecurID Tokens: Manage Token Online Emergency Access Yes
SecurID Tokens: Replace Tokens Yes
SecurID Tokens: Reset RSA SecurID PINs Yes
SecurID Tokens: Resynchronize Tokens Yes
Security Domains View
Token Extension Attribute Definitions View
Manage Users View
Self-Service Requests - Distribute Yes
Self-Service Requests - View Yes
