Sun Identity Manager 8.1 Business Administrator's Guide

Object Relationships

The following table provides a quick overview of Identity Manager objects and their relationships.

Table 1–1 Identity Manager Object Relationships

Identity Manager Object 

What Is It? 

Where Does It Fit? 

User account 

An account on Identity Manager and on one or more resources. User data may be loaded into Identity Manager from resources. 

A special class of users, Identity Manager administrators, have extended privileges 

Role. Generally, each user account is assigned one or more roles.

Organization. User accounts are arranged in a hierarchy as part of an organization. Identity Manager administrators additionally manage organizations.

Resource. Individual resources can be assigned to user accounts.

Capability. Administrators are assigned capabilities for the organizations they manage.


Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Application, and IT Roles group resources into groups so that resources can be assigned to users by way of Business Roles. Role-based resource assignments simplify resource management in large organizations. 

Resource and resource group. Resources and resource groups are assigned to Asset, Application, and IT Roles.

User account. User accounts with similar characteristics are assigned to Business Roles.

Asset, Application, and IT Roles, Asset, Application, and IT Roles are assigned to Business Roles.


Stores information about a system, application, or other resource on which accounts are managed. 

Role. Resources are assigned to Application and IT Roles, which are in turn assigned to Business Roles. A user account loosely “inherits” resource access from its Business Role assignments.

User account. Resources can be individually assigned to user accounts.

Resource Group 

Ordered group of resources. 

Role. Resource groups are assigned to roles; a user account “inherits” resource access from its Business Role assignments.

User account. Resource groups can be directly assigned to user accounts.


Defines the scope of entities managed by an administrator; hierarchical. 

Resource. Administrators in a given organization may have access to some or all resources.

Administrator. Organizations are managed (controlled) by users with administrative privileges. Administrators may manage one or more organizations. Administrative privileges in a given organization cascade to its child organizations.

User account. Each user account can be assigned to an Identity Manager organization and one or more directory organizations.

Directory junction 

Hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. 

Organization. Each organization in a directory junction is a virtual organization.

Admin role 

Defines a unique set of capabilities for each set of organizations assigned to an administrator. 

Administrator. Admin roles are assigned to administrators.

Capabilities and organizations. Capabilities and organizations are assigned, directly or indirectly (dynamically) to admin roles.


Defines a group of system rights. 

Administrator. Capabilities are assigned to administrators.


Sets password and authentication limits. 

User account. Policies are assigned to user accounts.

Organization. Policies are assigned to or inherited by organizations.

Audit policy 

Sets rules by which users are evaluated for compliance violations. 

User account. Audit policies are assigned to user accounts.

Organization. Audit policies are assigned to organizations.