Dynamic Administrative Roles ACIs
This attribute defines the access control instructions for the administrator roles that are created dynamically when a group or realm is configured using Access Manager. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.
Note –
Administrators at the realm level have a wider scope of access than do group administrators. But, by default, when a user is added to a group administrator role, that user can change the password of anyone in the group. This would include any realm administrator who is a member of that group.
The Container Help Desk Admin role has read access to all entries in a realm and write access to the userPassword attribute in user entries only in this container unit.
The Realm Help Desk Admin has read access to all entries in a realm and write access to the userPassword attribute. When a sub—realm is created, remember that the administration roles are created in the sub-realm, not in the parent realm.
The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.
The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that realm.
ThePeople Container Admin is by default, any user entry in an newly created realm is a member of that realm's People Container. The People Container Administrator has read and write access to all user entries in the realm's People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the realm has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.
The Group Admin has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created. When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group's creator, or anyone that has access to the Group Administrator Role.
The Top-level Admin has read and write access to all entries in the top-level realm. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.
The Organization Administrator has read and write access to all entries in a realm. When a realm is created, the Organization Admin role is automatically generated with the necessary privileges to manage the realm.
- © 2010, Oracle Corporation and/or its affiliates