4.3 Assigning Roles Using the Administration Console

The System Administrator can use the Oracle Access Management Console to assign roles to users or groups that cover specific Application Domains. Users can be assigned multiple roles as long as the functionality doesn't overlap.

For example, if user X is assigned Global Policy Administrator, the user cannot be granted Policy Administrator for the HR domain because the latter is a child of the former.

Note:

Roles can be assigned only to users or groups from the system/default store.

From a high level:

1. When delegating administration for a specific policy object or a set of policy objects, the delegator selects the item(s) and assigns the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) to it.
2. When delegating administration for all objects of a specific type, the delegator will select the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) and grant the rights to administer the objects of that type to the selected. In this case, the administrator can't select objects for which administration is being delegated; the administrator will select a role that is granted to the appropriate delegatee with a specific right.

Note:

Customers using Oracle Identity Manager (or Oracle Identity Manager XE) may want to define Enterprise Roles that are common to all of IDM and use OIM to assign users and groups to these Enterprise Roles. The Administration Console allows for this.