MBean operation access denied. MBean: com.oracle.igf:type=Xml,name=IDSConfig Operation: listAllIdentityDirectoryService() Detail: Access denied. Required roles: Admin, Operator, Monitor, executing subject: principals=[weblogic, oimAdminGroup, OAMSystemAdminGroup]

Environment:
RHEL 5u6 x64
OAM 11gR2
OUD 11gR2
Weblogic 10.3.6.0

After migrating the default and system store to external LDAP, in this case OUD, the following error is reported from OAM console Launch Pad -> Configuration -> User Identity Stores: 

To resolve, add the Administrators to the cn=systemids and make weblogic a member of Administrators.  If using a GUI tool such as Apache Directory Studio do the following:

1. Expand the cn=systemids node
2. Select an entry under cn=systemids and right-click
3. Click New -> New Entry
4. On the Entry Creation Method screen, check "Use existing entry as template" and click Next
5. On the Object Classes screen, click Next without making any changes
6. On the Distinguished Name screen, change the RDN cn = <original_value> to RDN cn = Administrators and click Next (the DN preview box on the bottom should something like: cn=Administrators,cn=systemids,dc=acme,dc=com)
7. On the Attributes screen, click Finish
8. Log out and log back in to OAM console and access User Identity Stores.  The error will not appear.

The LDAP commands are as follows:
dn: cn=Administrators,cn=systemids,dc=acme,dc=com
changetype: add
objectClass: groupOfUniqueNames
objectClass: top
description: OIM administrator role
uniqueMember: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
uniqueMember: cn=weblogic,cn=systemids,dc=acme,dc=com
uniqueMember: cn=xelsysadm,cn=systemids,dc=acme,dc=com
cn: Administrators

These can be saved to a file e.g. add_group.ldif and run as follows:

ldapadd -x -p 1389 -h localhost -D "cn=Directory Manager" -w password -f add_group1.ldif