Delegation of Privileges for User and Group Management

Administrative privileges are delegated to either Oracle components that use the identity management infrastructure or to end users themselves. A privilege can be delegated to either an identity--for example, a user or application--or to a role or group.

This section contains these topics:

• How Privileges Are Granted for Managing User and Group Data

• Default Privileges for Managing User Data

• Default Privileges for Managing Group Data

How Privileges Are Granted for Managing User and Group Data

To delegate administrative privileges, the Oracle Internet Directory super user does the following:

1. Creates an identity management realm

2. Identifies a special user in that realm who is called the realm administrator

3. Delegates all privileges to that realm administrator

This realm administrator, in turn, delegates certain privileges that Oracle components require to the Oracle defined roles--for example, Oracle Application Server administrators. The Oracle components receive these roles when they are deployed.

In addition to delegating privileges to roles specific to Oracle components, the realm administrator can also define roles specific to the deployment--for example, a role for help desk administrators--and grant privileges to those roles. These delegated administrators can, in turn, grant these roles to end users. In fact, because a majority of user management tasks involve self-service--like changing a phone number or specifying application-specific preferences--these privileges can be delegated to end users by both the realm administrator and Oracle component administrators.

In the case of a group, one or more owners--typically end users--can be identified. If they are granted the necessary administrative privileges, then these owners can manage the group by using Oracle Internet Directory Self-Service Console, Oracle Directory Manager, or command-line tools.

Default Privileges for Managing User Data

Managing users involves privileges to:

• Create and delete user entries

• Modify user attributes

• Delegate user administration to other users

The access control policy point (ACP) for creating users is at the Users container in the identity management realm.

This section describes each of these privileges in more detail.

Creating Users for a Realm

To create users for a realm, an administrator must be a member of the Subscriber DAS Create User Group. Table 17-3 describes the characteristics of this group.

Table 17-3  Characteristics of the Subscriber DAS Create User Group

Characteristic	Description
Default ACP	The ACL at the Users container in the default realm allows the Subscriber DAS Create User Group in the realm Oracle Context to create users under the Users container.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the User Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASCreateUser,cn=groups,Oracle_Context_DN.

Modifying Attributes of a User

To modify user attributes, an administrator must be a member of the Subscriber DAS Edit User Group. Table 17-4 describes the characteristics of this group.

Table 17-4  Characteristics of the Subscriber DAS Edit User Group

Characteristic	Description
Default ACP	The ACL at the Users container in the default identity management realm allows the Subscriber DAS Edit User Group in the realm Oracle Context to modify various attributes of users.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the User Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASEditUser,cn=groups,Oracle_Context_DN

Deleting a User

To delete a user in a realm, an administrator must be a member of the DAS Delete User Group. Table 17-5 describes the characteristics of this group.

Table 17-5  Characteristics of the DAS Delete User Group

Characteristic	Description
Default ACP	The ACL at the Users container in the default identity management realm allows the DAS Delete User Group in the realm Oracle Context to delete a user from the realm.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the User Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASDeleteUser,cn=groups,Oracle_Context_DN

Delegating User Administration

A delegated administrator can perform specified operations within the directory and requires permission to add any user to the User Creation, User Edit, or User Delete Groups described previously.

To grant user administration privileges to a delegate administrator, the granting administrator must be a member of the User Privilege Assignment Group. Table 17-6 describes the characteristics of this group.

Table 17-6  Characteristics of the User Privilege Assignment Group

Characteristic	Description
Default ACP	The ACL policy for each of the groups previously mentioned allows members of the User Privilege Assignment Group to add users to or remove them from those groups.
Administrators	The Oracle Internet Directory super user Oracle Context Administrators Group Owners of this group. The DNs of these owners are listed as values of the owner attribute in the group.
DN	cn=oracleDASUserPriv,cn=groups,Oracle_Context_DN

Default Privileges for Managing Group Data

Managing users and groups involves privileges to:

• Create and delete group entries

• Modify group attributes

• Delegate group administration to other users

The ACP for creating groups is at the Groups container in the identity management realm.

Creating Groups

To create groups in Oracle Internet Directory, an administrator must be a member of the Group Creation Group. Table 17-7 describes the characteristics of this group.

Table 17-7  Characteristics of the Group Creation Group

Characteristic	Description
Default ACP	The ACL at the Groups container in the realm allows the Group Creation Group to add new groups in the realm.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the Oracle Application Server Administrators Group Members of the Group Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASCreateGroup,cn=groups,Oracle_Context_DN

Modifying the Attributes of Groups

To modify the attributes of groups under the Groups container in a realm, an administrator must be a member of the Group Edit Group. Table 17-8 describes the characteristics of this group.

Table 17-8  Characteristics of the Group Edit Group

Characteristic	Description
Default ACP	The ACL at the Groups container in the realm allows the Group Edit Group to modify various attributes of groups in the realm.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the Oracle Application Server Administrators Group Members of Group Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASEditGroup,cn=groups,Oracle_Context_DN

Deleting Groups

To delete groups, an administrator must have membership in the Group Delete Group. Table 17-9 describes the characteristics of this group.

Table 17-9  Characteristics of the Group Delete Group

Characteristic	Description
Default ACP	The ACL at the Groups container in the realm allows the Group Delete Group to delete groups in the realm.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Members of the Group Privilege Assignment Group Members of the DAS Administrators Group Owners of this group
DN	cn=oracleDASDeleteGroup,cn=groups,Oracle_Context_DN

Delegating Group Administration

To delegate group administration to other users--that is, to add or remove users from the Group Creation, Group Edit, or Group Delete Groups described previously--an administrator must be a member of the Group Privilege Assignment Group. Table 17-10 describes the characteristics of this group.

Table 17-10  Characteristics of the Group Privilege Assignment Group

Characteristic	Description
Default ACP	The ACL policy for the Group Creation, Group Edit, or Group Delete Groups allows members of Group Privilege Assignment Group to add users to or remove them from those groups.
Administrators	The Oracle Internet Directory super user Members of the Oracle Context Administrators Group Owners of the group. The DNs of these owners are listed as values of the owner attribute in the group.
DN	cn=oracleDASUserPriv,cn=groups,Oracle_Context_DN