Just a short note on an easy way to keep users from editing their own OpenAM profile should they go directly into the console.
Basically the trick here is to set the “any” parameter in the iPlanetAMUserService schema to “adminDisplay” for every attribute you want to prevent users from changing. This not only prevents them from editing the field, but actually removes the field from the profile page. Since we have a separate apps for user self-service and administration I’ve gone and set all of the fields this way except for the password change related ones.
Look at my previous article on Custom attributes and OpenAM headers for how to change the service schema.