Sun Identity Manager 8.1 Business Administrator's Guide

Using Authorization Types to Secure Objects

You typically use permissions specified in an AdminGroup capability to grant access to an Identity Manager objectType such as a Configuration, Rule, or TaskDefinition. However, granting access to all objects of an Identity Manager objectType within one or more controlled organizations is sometimes still too broad.

Using authorization types (AuthType) allows you to further scope or restrict this access to a subset of objects for a given Identity Manager objectType. For example, you might not want to give your users access to all rules within their scope of control when populating rules to select from in a user form.

To define a new authorization type, edit the AuthorizationTypes configuration object in the Identity Manager repository and add a new <AuthType> element.

This element requires two properties:

For example, if you want to add a new Rule authorization type, called Marketing Rule, that extends Rule, you would define the following:

<AuthType name=’Marketing Rule’ extends=’Rule’/>

Next, to enable the authorization type to be used, you must reference that authorization type in two places.

Following are examples of both references. The first example shows an AdminGroup capability definition granting access to Marketing Rules.

Example 12–4 AdminGroup Capability Definition

<AdminGroup name=’Marketing Admin’>
    <Permission type=’Marketing Rule’ rights=’View,List,Connect,Disconnect/>
    <ObjectRef type=’AdminGroup’ id=’#ID#Account Administrator’/>

The next example shows a Rule definition that enables users to access the object because they have been granted access to Rule or Marketing Rule.

Example 12–5 Rule Definition

<Rule name=’Competitive Analysis Info’ authType=’Marketing Rule’>

Note –

Any user granted rights to a parent authorization type, or to a static type that an authorization type extends, will have the same rights on all child authorization types. So, using the preceding example, any user granted rights to Rule will also have the same rights to Marketing Rule. The converse, however, is not true.