Sun Identity Manager 8.1 Business Administrator's Guide

Configuring a Service Provider User Admin Role

To configure a Service Provider User Admin Role, create an admin role and specify the scope of control, capabilities, and to whom it should be assigned.

Note –

Before creating a Service Provider User Admin Role, define the search context, search filter, after search filter, capabilities, and user assignment rules for the admin role.

To use the following rules, you must specify the rule's authType:

Identity Manager provides sample rules that you can use to create these rules for Service Provider User Admin Roles. These rules are available in sample/adminRoleRules.xml in the Identity Manager installation directory.

For more information about creating these rules for your environment, see Sun Identity Manager Service Provider 8.1 Deployment.

ProcedureTo Configure a Service Provider User Admin Role

  1. In the Administrator interface, click Security on the menu, then click Admin Roles.

    The Admin Roles page opens.

  2. Click New.

    The Create Admin Role page opens.

  3. Specify a name for the admin role and select Service Provider Users for the type.

  4. Specify the Scope of Control, Capabilities, and Assign To Users options, as described in the following sections.

Specifying the Scope of Control

The scope of control for the service provider user admin role specifies which service provider users a given Identity Manager administrator, Identity Manager end user, or Identity Manager service provider end user is allowed to see. It is enforced when a request is made to list Service Provider Users in the directory.

You can specify one or more of the following settings for the Service Provider User Admin Role scope of control:

Specifying Capabilities

Capabilities for the Service Provider User Admin Role specify which capabilities and rights the requesting user has on the Service Provider User for which access is being requested. It is enforced when a request is made to view, create, modify, or delete a Service Provider User.

On the Capabilities tab, select the Capabilities Rule to apply for this admin role.

Assigning Admin Roles To Users

Service Provider User Admin Roles can be dynamically assigned to service provider users by specifying a rule that will be evaluated at login time to determine whether to assign the authenticating user the Admin Role.

Click the Assign To Users tab, and select the rule to apply for the assignment.

Note –

Dynamic assignment of Admin Roles to users must be enabled for each login interface (for example, the User interface and the Administrator interface) by setting the following System Configuration object (Editing Identity Manager Configuration Objects) to true:


The default for all interfaces is false.