Table D-1 Identity Manager Task-Based Capabilities Definitions (Page 1 of 13)
Capability
|
Allows the Administrator/User to:
|
Can Access These Tabs and Subtabs:
|
Access Review Detail Report Administrator
|
Create, edit, delete, and execute Access Review Detail Reports
|
Reports > Run Reports tab, View Reports tab- Access Review Detail Reports only
Reports > View Dashboards
|
Access Review Summary Report Administrator
|
Create, edit, delete, and execute Access Review Summary Reports
|
Reports - Access Review Summary Reports only
Reports > View Dashboards
|
Account Administrator
|
Perform all operations on users, including assigning capabilities. Does not include bulk operations.
|
Accounts - List Accounts, Find Users, Extract to File, Load from File, Load from Resource tabs
Passwords - All subtabs
Work Items - Approvals subtab
Tasks - All subtabs
|
Admin Report Administrator
|
Create, edit, delete, and run administrator reports.
|
Reports - Manage Reports, Run Reports subtabs (Administrator report only)
|
Admin Role Administrator
|
Create, edit, and delete admin roles.
|
Security - Admin Roles subtab
|
Application Administrator
|
Create, edit, and delete Application roles.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles)
Roles - All subtabs
|
Approver Administrator
|
Approve or reject requests initiated by other users.
|
Default only
|
Asset Administrator
|
Create, edit, and delete Asset roles.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles)
Roles - All subtabs
|
Assign Audit Policies
|
Assign audit policies to user accounts and organizations.
|
Accounts - Edit User Audit Policy from the User Actions list.
Accounts - Edit Organization Audit Policy from the Organization Actions list.
|
Assign Organization Audit Policies
|
Assign audit policies to organizations only.
|
Accounts - Edit Organization Audit Policy from the Organization Actions list; List Accounts tab
|
Assign User Audit Policies
|
Assign audit policies to users only.
|
Accounts - Edit User Audit Policy from the User Actions list; List Accounts tab; Find Users tab
|
Assign User Capabilities
|
Change user capabilities assignments (assign and unassign).
|
Accounts - List Accounts (Edit only), Find Users subtabs.
Must be assigned with another user administrator capability (for example, Create User or Enable User).
|
Audit Policy Administrator
|
Create, modify, and delete audit policies.
|
Compliance - Manage Policies
|
Audit Policy Scan Report Administrator
|
Create, modify, delete, and execute the Audit Policy Scan Report.
|
Reports - Audit Policy Scan reports only
|
Audit Report Administrator
|
Create, modify, delete, and execute audit reports.
|
Reports - Audit report only
|
Audited Attribute Report Administrator
|
Create, modify, delete, and execute the Audited Attribute Report.
|
Reports - Audited Attribute reports only
|
AuditLog Report Administrator
|
Create, modify, delete, and execute the AuditLog Report.
|
Reports - AuditLog reports only
|
Auditor Access Scan Administrator
|
Create, edit, and delete Periodic Access Review scans
|
Compliance - Manage Access Scans
|
Auditor Administrator
|
Set up, manage, and monitor audit policies, audit scans and user compliance.
|
Compliance - All subtabs
Reports - Run Reports, View Reports, and manage Auditor Reports
Accounts - Edit User Audit Policies and Edit Organization Audit Policies actions.
|
Auditor Attestor
|
Required to attest other users’ attestations while organization security is enabled.
|
Default only
|
Auditor Periodic Access Review Administrator
|
Manage Periodic Access Reviews (PAR), manage access scans, manage attestations, manage PAR reports.
|
Compliance - Manage Access Scans, Access Review subtabs
|
Auditor Remediator
|
Remediate, mitigate, and forward audit policy violations.
|
Remediations - All subtabs
|
Auditor Report Administrator
|
Create, modify, delete, and execute any of the Auditor Reports.
|
Reports - all actions on auditor reports
|
Auditor View User
|
View compliance information associated with user.
|
Accounts - List Accounts, Find Users tabs
|
AuditPolicy Violation History Administrator
|
Create. modify, delete, and execute the AuditPolicy Violation History report.
|
Reports - AuditPolicy Violation History reports only
|
Bulk Account Administrator
|
Perform regular and bulk operations on users, including assigning capabilities.
|
Accounts - All subtabs
Passwords - All subtabs
Approvals - All subtabs
Tasks - All subtabs
|
Bulk Change Account Administrator
|
Perform regular and bulk operations except delete on existing users, including assigning capabilities.
|
Accounts - List Accounts, Find Users, Launch Bulk Actions subtabs. Cannot create or delete users.
Passwords - All subtabs
Approvals - All subtabs
Tasks - All subtabs
|
Bulk Change Resource Password Administrator
|
Change the password for the specified resource connection account on the specified resources.
|
Resources -Launch Bulk Actions subtab
|
Bulk Change User Account Administrator
|
Perform regular and bulk operations except delete on existing users.
|
Accounts - List Accounts, Find Users, Launch Bulk Actions subtabs. Cannot create, delete, or assign capabilities to users.
Passwords - All subtabs
Tasks - All subtabs
|
Bulk Create User
|
Assign resources and initiate user create requests (on individual users and by using bulk operations).
|
Accounts - List Accounts (Create only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Delete User
|
Delete Identity Manager user accounts; deprovision, unassign, and unlink resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Create only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Delete IDM User
|
Delete existing Identity Manager user accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Delete only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Deprovision User
|
Delete and unlink existing resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Deprovision only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Disable User
|
Disable existing users and resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Disable only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Enable User
|
Enable existing users and resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Enable only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Reset Resource Password Administrator
|
Reset the password for the specified resource connection account on the specified resources.
|
Resources -Launch Bulk Actions subtab
|
Bulk Unassign User
|
Unassign and unlink existing resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Unassign only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Unlink User
|
Unlink existing resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Unlink only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk Update User
|
Update existing users and resource accounts (on individual users and by using bulk operations).
|
Accounts - List Accounts (Update only), Find Users, Launch Bulk Actions subtabs
Tasks - All subtabs
|
Bulk User Account Administrator
|
Perform all regular and bulk operations on users.
|
Accounts - All subtabs
Passwords - All subtabs
Tasks - All subtabs
|
Business Role Administrator
|
Create, edit, and delete Business Roles.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles)
Roles - All subtabs
|
Capability Administrator
|
Create, modify, and delete capabilities.
|
Configure - Capabilities subtab
|
Change Account Administrator
|
Perform all operations except delete on existing users, including assigning capabilities. Does not include bulk operations
|
Accounts - All subtabs. Cannot delete users.
Passwords - All subtabs
Approvals - All subtabs
Tasks - All subtabs
Reports - Create admin and user reports, run and edit admin reports, run AuditLog reports in scope. Cannot run admin and user reports on out-of-scope organizations.
|
Change Active Sync Resource Administrator
|
Change active sync resource parameters.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
Resources - For Active Sync resources: Edit actions menu, Edit Active Sync Parameters
|
Change Password Administrator
|
Change user and resource account passwords.
|
Accounts - List Accounts, Find Users subtabs (Change Password only)
Passwords - All subtabs
Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
|
Change Password Administrator (Verification Required)
|
Change user and resource account passwords following successful validation of the user's authentication question answers.
|
Accounts - List Accounts, Find Users subtabs (Change Password only; verification required before action)
Passwords - All subtabs
Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
|
Change Resource Password Administrator
|
Change resource administrator account passwords.
|
Tasks - All subtabs
Resources - List Resources subtab. Change resource password only (from Manage Connection-->Change Password in the actions menu)
|
Change User Account Administrator
|
Perform all operations except delete on existing users. Does not include bulk operations
|
Accounts - List Accounts, Find Users subtabs. Cannot create, delete, or assign capabilities to users.
Passwords - All subtabs
Tasks - All subtabs
|
Configure Audit
|
Configure the events and configuration groups audited in the system.
|
Configure - Audit Events subtab
|
Configure Certificates
|
Configure trusted certificates and CRLs.
|
Security - Certificates subtab
|
Control Active Sync Resource Administrator
|
Control Active Sync resource state (such as start, stop, and refresh)
|
Tasks - Find Tasks, All Tasks, Run Tasks
Resources - For Active Sync resources: Active Sync actions menu (all selections)
|
Create User
|
Assign resources and initiate user create requests. Does not include bulk operations
|
Accounts - List Accounts (Create only), Find Users subtabs
Tasks - All subtabs
|
Data Warehouse Administrator
|
Configure Data Exporter and run the Data Warehouse Exporter Launcher task.
|
Configure - Warehouse subtab
|
Data Warehouse Query
|
Configure and run forensic queries
|
Compliance / Forensic Query
|
Debug
|
Access and execute operations from the Identity Manager debug pages.
|
The Identity Manager debug pages cannot be accessed from the menu. To access the debug pages, type the following URL into your browser:
http://<AppServerHost>:<Port>/idm/ debug
|
Delete User
|
Delete Identity Manager user accounts; deprovision, unassign, and unlink resource accounts. Does not include bulk operations.
|
Accounts - List Accounts (Delete only), Find Users subtabs
Tasks - All subtabs
|
Delete IDM User
|
Delete Identity Manager user accounts. Does not include bulk operations.
|
Accounts - List Accounts (Delete only), Find Users subtabs
Tasks - All subtabs
|
Deprovision User
|
Delete and unlink existing resource accounts. Does not include bulk operations.
|
Accounts - List Accounts (Deprovision only), Find Users subtabs
Tasks - All subtabs
|
Disable User
|
Disable existing users and resource accounts. Does not include bulk operations
|
Accounts - List Accounts (Disable only), Find Users subtabs
Tasks - All subtabs
|
Enable User
|
Enable existing users and resource accounts. Does not include bulk operations
|
Accounts - List Accounts (Enable only), Find Users subtabs
Tasks - All subtabs
|
End User Administrator
|
View and modify the rights to object types specified in the End User capability and the End User Controlled Organizations rule.
|
NA
|
IDM Schema Configuration
|
View and configure the effective schema for Users or Roles using the Identity Manager configuration object IDM Schema Configuration.
|
NA
|
Import User
|
Import users from defined resources.
|
Accounts - Extract to File, Load from File, Load from Resource subtabs
|
Import/Export Administrator
|
Import and export all types of objects.
|
Configure - Import Exchange File subtab
|
IT Role Administrator
|
Create, edit, and delete IT Roles.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles)
Roles - All subtabs
|
Login Administrator
|
Edit the set of login modules for a given login interface.
|
Configure - Login subtab
|
Organization Administrator
|
Create, edit, and delete organizations.
|
Accounts - List Accounts subtab (Edit and create organizations and directory junctions, delete organizations only)
|
Organization Approver
|
Approve requests for new organizations.
|
Work Items - Approvals subtab
|
Organization Violation History Administrator
|
Create. modify, delete, and execute the Organization Violation History report.
|
Reports - Organization Violation History reports only
|
Password Administrator
|
Change and reset user and resource account passwords.
|
Accounts - List Accounts (list, change, and reset passwords only), Find Users subtabs
Passwords - All subtabs
Tasks - All subtabs
|
Password Administrator (Verification Required)
|
Change and reset user and resource account passwords following successful validation of the user's authentication question answers.
|
Accounts - List Accounts (list, change, and reset passwords only; verification required before action succeeds), Find Users subtabs
Passwords - All subtabs
Tasks - All subtabs
|
Policy Administrator
|
Create, edit, and delete Policies.
|
Configure - Policy subtab
|
Policy Summary Report Administrator
|
Create, modify, delete, and execute the Policy Summary Report.
|
Reports - Policy Summary reports only
|
Product Registration
|
Register an installation of Identity Manager with Sun Microsystems or create a local service tag.
|
Configure - Product Registration subtab
|
Reconcile Administrator
|
Edit reconciliation policies and control reconciliation tasks.
|
Server Tasks - All subtabs (View reconcile task).
Resources - List Resources subtab
|
Reconcile Report Administrator
|
Create, edit, delete, and run reconciliation reports.
|
Reports - Run Reports (Account Index report only), Manage Reports subtabs
|
Reconcile Request Administrator
|
Manage reconciliation requests.
|
Tasks - All subtabs
Resources - List Resources subtab (list and reconciliation features only)
|
Remedy Integration Administrator
|
Modify Remedy integration configuration.
|
Tasks - All subtabs (view tasks, run role synchronization)
Configure - Remedy Integration subtab
|
Rename User
|
Rename existing users and resource accounts.
|
Accounts - List Accounts subtab (list all accounts in scope, rename users)
|
Report Administrator
|
Configure audit settings and run all report types.
|
Tasks - All subtabs (view tasks, run role synchronization)
Reports - All subtabs
|
Reset Password Administrator
|
Reset user and resource account passwords.
|
Accounts - List Accounts, Find Users subtabs (Reset Password only)
Passwords - All subtabs
Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
|
Reset Password Administrator (Verification Required)
|
Reset user and resource account passwords following successful validation of the user's authentication question answers.
|
Accounts - List Accounts, Find Users subtabs (Reset Password only; verification required before action succeeds)
Passwords - All subtabs
Tasks - All subtabs. Export Password Scan task only (from Run Tasks subtab)
|
Reset Resource Password Administrator
|
Reset resource administrator account passwords.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
Resources - List Resources subtab. Reset resource password only (from Manage Connection -->Reset Password in the actions menu)
|
Resource Administrator
|
Create, modify, and delete resources.
|
Reports - Resource user report, resource group report returns error on out-of-scope resources.
Resources - List Resources subtab (edit global policy, edit parameters, resource groups. Cannot manage connection or resource objects).
|
Resource Approver
|
Approve resource assignments
|
Work Items - Approvals subtab
|
Resource Group Administrator
|
Create, edit, and delete resource groups.
|
Resources - List Resource Groups subtab
|
Resource Object Administrator
|
Create, modify, and delete resource objects.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (view tasks involving resource objects).
Resources - List Resources subtab (list and manage resource objects only)
|
Resource Password Administrator
|
Change and reset resource proxy account passwords.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
Resources - List Resources subtab. Change resource password only (from Manage Connection-->Change Password in the actions menu)
|
Resource Report Administrator
|
Create, edit, delete, and run resource reports.
|
Reports - All subtabs (resource reports only)
|
Resource Violation History Administrator
|
Create. modify, delete, and execute the Resource Violation History report.
|
Reports - Resource Violation History reports only
|
Risk Analysis Administrator
|
Create, edit, delete, and run risk analysis.
|
Risk Analysis - All subtabs
|
Role Administrator
|
Create, modify, and delete roles.
|
Tasks - Find Tasks, All Tasks, Run Tasks subtabs (synchronize roles)
Roles - All subtabs
|
Role Approver
|
Approve role assignments
|
Work Items - Approvals subtab
|
Role Report Administrator
|
Create, edit, delete, and run resource reports.
|
Reports - Role reports only
|
Run Access Review Detail Report
|
Run the Access Review Detail Report
|
Reports - Access Review Detail Report only
|
Run Access Review Summary Report
|
Run the Access Review Summary Report
|
Reports - Access Review Summary Report only
|
Run Admin Report
|
Run administrator reports.
|
Reports - Admin reports only
|
Run Audit Policy Scan Administrator
|
Run and manage the Audit Policy Scan Report
|
Reports - Audit Policy Scan report only
|
Run Audit Policy Scan Report
|
Run the Audit Policy Scan Report.
|
Reports - Audit Policy Scan reports only
|
Run Audit Report
|
Run audit reports.
|
Reports - AuditLog and Usage reports only
|
Run Audited Attribute Report
|
Execute the Audited Attribute Report.
|
Reports - Audited Attribute reports only
Reports > View Dashboards
|
Run Auditor Report
|
Run any Auditor Report.
|
Reports - any auditor report
Reports > View Dashboards
|
Run AuditLog Report
|
Execute the AuditLog Report.
|
Reports - AuditLog reports only
|
Run AuditPolicy Violation History
|
Execute the Organization Violation History report.
|
Reports - AuditPolicy Violation History reports only
Reports > View Dashboards
|
Run Policy Summary Report
|
Execute the Policy Summary Report.
|
Reports - Policy Summary reports only
|
Run Organization Violation History
|
Execute the Organization Violation History report.
|
Reports - Organization Violation History reports only
Reports > View Dashboards
|
Run Reconcile Report
|
Run reconciliation reports.
|
Reports - AuditLog and Usage reports only
|
Run Resource Report
|
Run resource reports.
|
Reports - AuditLog and Usage reports only
|
Run Resource Violation History
|
Execute the Resource Violation History report.
|
Reports - Resource Violation History reports only
|
Run Risk Analysis
|
Run risk analysis.
|
Reports - Run Risk Analysis, View Risk Analysis subtabs
|
Run Role Report
|
Run role reports.
|
Reports - Role reports only
|
Run Separation of Duties Report
|
Run a Separation of Duties Report
|
Reports - Separation of Duties Report only
Reports > View Dashboards
|
Run Task Report
|
Run task reports.
|
Reports - Task reports only
|
Run User Access Report
|
Execute the Detailed User Report.
|
Reports - User Access reports only
Reports > View Dashboards
|
Run User Report
|
Run user reports.
|
Reports - User reports only
|
Run Violation Summary Report
|
Execute the Violation Summary report.
|
Reports - Violation Summary reports only
Reports > View Dashboards
|
Security Administrator
|
Create users with capabilities; manage encryption keys, login configuration, and policies.
|
Accounts - List Accounts (delete, create, update, edit, change and edit passwords), Find Users subtabs (audit report)
Passwords - All subtabs
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
Reports - All subtabs
Resources - List Resources (list and control resource objects)
Security - Policies, Login subtabs
|
Separation of Duties Report Administrator
|
Create, edit, run, and delete a Separation of Duties Report.
|
Reports - all actions for Separation of Duties Report only
|
Service Provider Admin Role
|
Manage Service Provider Admin Roles and the associated rules.
|
Security - Admin Roles tab
|
Service Provider Administrator
|
Create, edit, and manage service provider users and transactions; configure the transaction database and tracked events.
|
Accounts - Manage Service Provider Users subtab
Server Tasks > Service Provider Transactions tab
Reports > View Dashboards tab
Reports > Dashboard Configuration tab
Service Provider - all subtabs
|
Service Provider Create User
|
Create user accounts for service provider (extranet) users.
|
Accounts - Manage Service Provider Users subtab
|
Service Provider Delete User
|
Delete a service provider user account.
|
Accounts - Manage Service Provider Users subtab
|
Service Provider Update User
|
Update a service provider user account.
|
Accounts - Manage Service Provider Users subtab
|
Service Provider User Administrator
|
Manage service provider (extranet) users.
|
Accounts > Manage Service Provider Users - all subtabs
|
Service Provider View User
|
View service provider (extranet) user account information.
|
Accounts - Manage Service Provider Users subtab
|
SPML Access
|
Allows access to the Service Provisioning Markup Language (SPML) features in Identity Manager.
|
Security - Capabilities subtab
|
Task Report Administrator
|
Create, edit, delete, and run task reports.
|
Reports - Task Report only.
|
Unassign User
|
Unassign and unlink existing resource accounts. Does not include bulk operations.
|
Accounts - List Accounts (Unassign only), Find Users subtabs
Tasks - All subtabs
|
Unlink User
|
Unlink existing resource accounts. Does not include bulk operations.
|
Accounts - List Accounts (Unlink only), Find Users subtabs
Tasks - All subtabs
|
Unlock User
|
Unlock existing user’s resource accounts that support unlock. Does not include bulk operations.
|
Accounts - List Accounts (Unlock only), Find Users subtabs
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
|
Update User
|
Edit existing users and initiate user update requests.
|
Accounts - Edit and update users
Tasks - Manage existing tasks (from the All Tasks subtab)
|
User Access Report Administrator
|
Create, run, edit, and delete a User Access Report
|
Reports - User Access Report only
Reports > View Dashboards
|
User Account Administrator
|
All operations on users.
|
Accounts - List Accounts, Find Users, Extract to File, Load from File, Load from Resource subtabs. Cannot assign user capabilities (Security form tab on List Accounts subtab).
Tasks - Find Tasks, All Tasks, Run Tasks subtabs
|
User Report Administrator
|
Create, edit, delete, and run user reports.
|
Reports - Run user reports.
|
View User
|
View individual user details.
|
Accounts - Select users from the list to view individual user account information. No change actions allowed.
|
Violation Summary Report Administrator
|
Create. modify, delete, and execute the Violation Summary report.
|
Reports - Violation Summary reports only
Reports > View Dashboards
|
Waveset Administrator
|
Perform system-wide tasks, such as modification of system configuration objects.
|
Server Tasks - All subtabs. Synchronize roles, edit source adapter template, and schedule reports
Reports - All subtabs
Resources - List Resources (list only; no change actions allowed)
Configure - Audit, Email Templates, Form and Process Mappings, and Servers subtabs
|