Authorization Types and Capabilities
Authorization types are a key component of the End User authorization model. With authorization types, you can define capabilities, or AdminGroups, and then assign those capabilities to users.
AdminGroups Objects
After defining an authorization type, you can reference it in the Permission objects stored within AdminGroup objects. The following XML example defines an AdminGroup (called a capability) that you can assign to a user.
<AdminGroup name=’EndUser’>
<Permissions>
<Permission type=’EndUserTask’ rights=’View’/>
<Permission type=’EndUserRule’ rights=’View’/>
</Permissions>
<MemberObjectGroups>
<ObjectRef type=’ObjectGroup’ id=’#ID#All’ name=’All’/>
</MemberObjectGroups>
</AdminGroup>
|
In this example, the two Permission elements both use type names that are authorization types rather than repository types. Only TaskDefinition objects that are assigned an EndUserTask authorization type will be accessible to a user that holds this capability. (A capability conveys set of rights to one or more authorization types or repository types.) Because authorization types are essentially hierarchical with other authorization types and repository types, having rights on a parent in the “type hierarchy” grants the same rights to all children.
EndUser Capability
You can use the AdminGroup EndUser capability to assign permissions to non-administrative users that typically do not have assigned capabilities and do not control any organizations. The default definition of this capability was given in the example in the Permission Extensions section.
Identity Manager implicitly assigns all users the EndUser capability. This capability permits users to view several types of objects, including tasks, rules, roles, and resources. Although you can assign capabilities to end users, you may prefer not to. Identity Manager defines a user with explicitly assigned capabilities as an administrator, and the system caches information about administrators that results in an effective upper limit on the number of administrators an installation can have.
You can use the EndUserLibrary authorization type. The EndUser capability (or AdminGroup) has List and View access to Libraries with the EndUserLibrary authType.
To give users access to the contents of a Library, set authType=’EndUserLibrary’ and ensure that the Library’s MemberObjectGroup is set to All.
- © 2010, Oracle Corporation and/or its affiliates