Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
Filtered role: read, create, edit, delete
Group: read, create, edit, delete
Realm: read, create, edit, delete, service
User: read, create, edit, delete, service
Role: read, create, edit, delete
You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.
If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.
The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.