Identity Manager provides delegation of administrative duties through the organization-based authorization model, by default.
Keep the following in mind when creating delegated administrators in an organization-based authorization model:
Service provider administrators are Identity Manager users with specific capabilities and controlled organizations.
The values of the users’ organization attributes can either be the name of the Identity Manager organization or the object ID. This depends on the setting of the Identity Manager Organization Attribute Name Contains ID field in the Identity Manager Main Configuration screen.
You can create an Identity Manager hierarchy and place organizations in that hierarchy in the way you want to delegate the administration of those organizations. Use specific identification for the organizations instead of the organizations’ simple names.
Service Provider users have their organization taken from user attributes in the directory server.
You must set attributes in the schema map for the directory server resource.
The comparison of attributes is by exact match to an administrator’s controlled organization list. The value stored in the directory must match the organizations name, not the entire hierarchy. If an administrator controls Top:orgA:sub1, then sub1 must be the value stored in the organization attribute for the Service Provider user.
If the attribute is not set or does not correspond to an Identity Manager organization, the Service Provider user is treated as a member of the Top organization. This requires that the Service Provider administrators have Service Provider user capabilities in Top to manage these users.
Attribute settings determine the scope for searches by Service Provider administrators.
To create a delegated administrator account, you first create an Identity Manager administrator and then add Service Provider administrator capabilities. There are capabilities specific to Service Provider tasks which can be assigned to the user (on the Security Tab of the Edit User page). The controlled organizations specify which Service Provider users the administrator can modify. Any resources available to Service Provider users are available to all Identity Manager administrators.