Understanding and Managing Capabilities

Capabilities are groups of rights in the Identity Manager system. Capabilities represent administrative job responsibilities, such as resetting passwords or administering user accounts. Each Identity Manager administrative user is assigned one or more capabilities, which provide a set of privileges without compromising data protection.

Not all Identity Manager users need capabilities assigned. Only those users who will perform one or more administrative actions through Identity Manager will require capabilities. For example, an assigned capability is not needed to enable a user to change his password, but an assigned capability is required to change another user’s password.

Your assigned capabilities govern which areas of the Identity Manager Administrator Interface you can access.

All Identity Manager administrative users can access certain areas of Identity Manager, including:

• Home and Help tabs

• Passwords tab (Change My Password and Change My Answers subtabs only)

• Reports (limited to types related to the administrator’s specific responsibilities)

A list of Identity Manager’s default task-based and functional capabilities (with definitions) is included in Appendix D, Capabilities Definitions. This appendix also lists the tabs and subtabs that may be accessed with each task-based capability.

Capabilities Categories

Identity Manager defines Capabilities as:

• Task-based. These are capabilities at their simplest task level.

• Functional. Functional capabilities contain one or more other functional or task-based capabilities.

Built-in capabilities (those provided with the Identity Manager system) are protected, meaning that you cannot edit them. You can, however, use them within capabilities that you create.

Protected (built-in) capabilities are indicated in the list with a red key (or red key and folder) icon. Capabilities that you create and can edit are indicated in the capabilities list with a green key (or green key and folder) icon.

Working with Capabilities

This section describes how to create, edit, assign, and rename capabilities. These tasks are performed using the Capabilities page.

View the Capabilities Page

The Capabilities page is found under the Security tab.

To Open the Capabilities Page

1. In the Administrator interface, click Security in the top menu.

2. Click Capabilities in the secondary menu.

   The Capabilities page opens and shows a list of Identity Manager capabilities.

Create a Capability

Use the following procedure to create a capability. To clone a capability, see Save and Rename a Capability.

To Create a Capability

1. In the Administrator interface, click Security in the top menu.

2. Click Capabilities in the secondary menu.

   The Capabilities page opens and shows a list of Identity Manager capabilities.

3. Click New.

   The Create Capability page opens.

4. Complete the form as follows:

   1. Name the new capability.

   2. In the Capabilities section, use the arrow buttons to move the capabilities that should be assigned to users into the Assigned Capabilities box.

   3. In the Assigners box, select one or more users that will be allowed to assign this capability to other users.

      • If no users are selected, the only user who can assign this capability is the one that created the capability.

      • If the user who created the capability does not have the Assign User Capability capability assigned, then you must select one or more users to ensure that at least one user can assign the capability to another user.

   4. In the Organizations box, select one or more organizations to which this capability will be available.

   5. Click Save.

      ---

      Note –

      The set of users from which you can make assigner selections are those who have been assigned the Assign Capability right.

      ---

Edit a Capability

You can edit a non-protected capability.

To Edit a Non-Protected Capability

1. In the Administrator interface, click Security in the top menu.

2. Click Capabilities in the secondary menu.

   The Capabilities page opens and shows a list of Identity Manager capabilities.

3. Right-click the capability in the list, and then select Edit. The Edit Capability page opens.

4. Make your changes and click Save.

   You cannot edit built-in capabilities. You can, however, save them with a different name in order to create your own capability. You can also use built-in capabilities in capabilities that you create.

Save and Rename a Capability

You can create a new capability by saving an existing capability with a new name. This process is known as cloning the capability.

To Clone a Capability

1. In the Administrator interface, click Security in the top menu.

2. Click Capabilities in the secondary menu.

   The Capabilities page opens and shows a list of Identity Manager capabilities.

3. Right-click the capability in the list, and then select Save As.

   A dialog box opens and asks you to type a name for the new capability.

4. Type a name and click OK.

   You can now edit the new capability.

Assigning Capabilities to Users

Use the Create User page (Creating Users and Working with User Accounts) or the Edit User page (Editing Users) to assign capabilities to users. You can also assign capabilities to a user by assigning an administrator role, which you set up through the Security area in the interface. See Understanding and Managing Admin Roles for more information.

A list of Identity Manager’s default task-based and functional capabilities (with definitions) is included in Appendix D, Capabilities Definitions. This appendix also lists the tabs and subtabs that may be accessed with each task-based capability.