5.4 Managing Administrator Roles

By default, the Oracle Access Management Administrators role is the same as the WebLogic Administrators role (Administrators).

You can register another User Identity Store (Oracle Internet Directory, for example); however, user weblogic must be defined with at least one user in the registered store to authenticate against. Administrator login works only when the Authentication Scheme (and assigned Authentication Module) used by the IAMSuiteAgent, also uses the System Store. This section provides the following topics:

5.4.1 Understanding Administrator Roles

Your enterprise might require independent sets of Administrators: one set of users responsible for Access Manager and another for Security Token Service. All Administrator roles, users, and groups must be stored in the System Store. If the System Store changes, appropriate Administrator roles must be added to the new System Store.

If, when editing an Identity Store registration, you designate a store as the System Store the Access System Administrator section appears. You can add new Administrator roles when adding or editing a User Identity Store registration. Figure 5-6 shows the page and controls to use.

Figure 5-6 Add System Administrator Roles

Description of Figure 5-6 follows
Description of "Figure 5-6 Add System Administrator Roles"

5.4.2 Defining and Removing Administrator Roles

Oracle Access Management Administrator roles which must be stored in the User Identity Store designated as the System Store can be defined or removed.

First, define the desired LDAP group to use for Administrators and then ensure that your Administrators group is available in the group search base. (See About using the System Store for User Identities.) To add or remove an Administrator role from the System Store, follow this procedure.

  1. View System Store Registration: Perform the following steps (or find a different System Store in the Data Sources node to designate as the System Store).

    1. At the top of the Oracle Access Management Console, click Configuration.

    2. In the Configuration console, click Administration.

      The registered System Store can not be changed from this page.

    3. Search the System Store to find configured administrators.

  2. Add User Roles:

    1. Click the Grant (+) button above the Access System Administrators table to display the Add Users and Groups dialog box.

    2. Select User in the Type list and click Search.

    3. In the results list, click the desired user, then click Add Selected.

    4. Repeat as need to add desired Administrator User roles.

    5. Click Apply to submit user roles.

  3. Add Group Roles:

    1. Click the Grant (+) button above the Access System Administrators table to display the Add Users and Groups dialog box.

    2. Select Group in the Type list and click the Search button.

    3. In the results list, click the desired Group and then click the Add Selected button.

    4. Repeat as need to add desired Administrator Group roles.

    5. Click Apply to submit Group roles.

  4. Remove Administrator Roles:

    1. In the Access System Administrators table, click the row containing the user or group to remove.

    2. Click the Delete (x) button above the table.

    3. Confirm removal when asked.

    4. Click Apply to submit the removal.

  5. Correct any authentication plug-ins that use the System Store (if this is a new store).

    This procedure is described in "Orchestrating Multi-Step Authentication with Plug-in Based Modules"

  6. Test the New Role: Close the browser window, then re-open it.

    1. Sign out of the Oracle Access Management Console and close the browser window.

    2. Start up the Oracle Access Management Console and attempt to log in using the previous Administrator role to confirm that this attempt fails.

    3. Log in using the new Administrator role to confirm that this attempt is successful.

      Login Failure: See "Administrator Lockout".