test

Sun Identity Manager Deployment Guide

Creating an Authorization Type

You can create a new authorization type by extending the existing TaskDefinition, TaskInstance, and TaskTemplate authorization types. You can use one of the following methods to add an authorization type:

Assigning an Authorization Type to a Repository

By setting an authorization type on a respiratory, you can restrict which users can see, modify, or delete particular object types. To define an authorization type for a repository type, set the authorization type name to the name of a repository type and omit the extends attribute.

Example: Setting End-User Authorization Types

Identity Manager implements the User Admin role and assigns it to all users by default. This role encapsulates the EndUser AdminGroup that provides two end-user authorization types (AuthTypes) and several list permissions for various object types.

These end-user authorization types include:

Example: Using Authorization Types to Restrict Visibility on Resources

You can use authorization types to restrict visibility on resources on the resource level. Rather than move resources into special organizations, you can

When assigning capabilities to users, do not assign a capability that includes rights to a generic resource type. Instead, assign users a capability with rights for a specific resource type.

Note –

For an example of stock authorization types defined in the system, see the admingroups.xml file.

ProcedureTo Define a Resource-Specific Authorization Type

  1. Add an entry to Configuration:AuthorizationTypes object.

    <AuthType name=’Resource-Corporate-LDAP’ extends=’Resource’/>

  2. Derive a variant of one of the standard capabilities, such as Resource Administrator. Note that the only difference between this capability and the standard AdminGroup is the type name in the Permission, which is Resource-Corporate-LDAP instead of Resource.


    <AdminGroup name=’Corporate LDAP Resource Administrator’
           protected=’true’
           displayName=’UI_ADMINGROUP_RESOURCE_ADMIN’
           description=’UI_ADMINGROUP_RESOURCE_ADMIN_DESCRIPTION’>
   <AdminGroups>
       <ObjectRef type=’AdminGroup’ id=’#ID#Resource Group Administrator’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Resource Report Administrator’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Connect Organizations’/>
       <ObjectRef type=’AdminGroup’ id=’#ID#Connect Policies’/>
   </AdminGroups>
   <Permissions>
       <Permission type=’AttributeDefinition’ rights=’View’/>
       <Permission type=’Resource-Corporate-LDAP’ rights=’View,List,Create,Modify,Delete,Execute’/>
       <Permission type=’ResourceUIConfig’ rights=’Create,Modify’/>
       <Permission type=’Rule’ rights=’View’/>
       <Permission type=’User’ rights=’View,List’/>
   </Permissions>
   <MemberObjectGroups>
       <ObjectRef type=’ObjectGroup’ id=’#ID#All’ name=’All’/>
   </MemberObjectGroups>
</AdminGroup>
<ObjectRef type=’AdminGroup’ id=’#ID#Connect Resource Groups’/>

Example: Granting Access to a Specific Part of Identity Manager

You can also use authorization types to grant fine-grained administrative control of a very specific part of Identity Manager to a set of users.

You create an AuthType, assign objects to that AuthType, and then create a capability that grants that AuthType. When you assign this capability to a set of users, they can only see the area of the system that the authorization type and capability allow them to see.

The following example assigns the LimitedReportType authorization type to a TaskDefinition, and the Run Limited Report capability to a user. Consequently, that user can only execute reports where TaskDefinition is the LimitedReportType authorization type.


<AuthType name=’LimitedReportType’ extends=’TaskDefinition’/>
<AuthType name=’LimitedReportType’ extends=’TaskInstance’/>
<AdminGroup name=’Run Limited Report’ ...>
...
<Permissions type=’LimitedReportType’ rights=’View,Execute’/>
 ...
</AdminGroup>