Delegation of Privileges for Deployment of Oracle Components

This section discusses the groups responsible for deploying Oracle components. It describes the tasks these administrators perform and the privileges they can grant. It includes these topics:

• How Deployment Privileges Are Granted

• Oracle Application Server Administrators

• User Management Application Administrators

• Trusted Application Administrators

  Note: Oracle Internet Directory super users have all the privileges of Oracle Application Server Administrators and Trusted Application administrators, and must be members of the Oracle Application Server Administrators Group. They can: Assign the Oracle Application Server Administrator role to a user Assign the Trusted Application role to a user Assign the User Management Application Administrator role to a user

How Deployment Privileges Are Granted

To enable administrators to deploy Oracle components, the super user:

1. Grants certain deployment privileges to various groups--for example, the Oracle Application Server Administrators Group

2. Adds the administrators to those privileged groups

The delegated administrators, in turn, can delegate privileges to other administrators.

Oracle Application Server Administrators

Table 17-11 describes the characteristics of the Oracle Application Server Administrators Group.

Table 17-11  Characteristics of the Oracle Application Server Administrators Group

Characteristic	Description
Tasks	Perform repository database installation that creates a repository database registration entry in the directory Perform mid-tier installation. To associate a mid-tier with a repository, the user must have the appropriate privileges with a specific repository database. Install and configure Oracle Application Server components that create application entities in Oracle Internet Directory Grant to component entities the runtime privileges listed later in this section Configure provisioning profiles for components so that the components can receive update notifications
Privileges this group can delegate to components	Read Common User Attributes--except passwords, certificates, and similar security credentials Read common group attributes Create, edit, and delete groups Authenticate a user Read application verifiers
Administrators	Oracle Internet Directory super user Oracle Context Administrator Owners of this group
DN	cn=IASAdmins,cn=groups,Oracle_Context_DN

User Management Application Administrators

User Management Application Administrators must be members of the Oracle Application Server Administrators Group.

Table 17-12 describes the characteristics of the User Management Application Administrators Group.

Table 17-12  Characteristics of the User Management Application Administrators Group

Characteristic	Description
Tasks	User Management Application administrators install specific applications that have interfaces to perform user management operations--for example, OracleAS Portal and Oracle Application Server Wireless.
Privileges this group can delegate to components	Create, edit, and delete user attributes
Administrators	Oracle Internet Directory super user Oracle Context Administrator Owners of this group
DN	cn=IAS & User Mgmt Admins,cn=groups, Oracle_Context_DN

Trusted Application Administrators

Trusted Application administrators must be members of the Oracle Application Server Administrators Group.

Table 17-13 describes the characteristics of the Trusted Application Administrators Group.

Table 17-13  Characteristics of the Trusted Application Administrators Group

Characteristic	Description
Tasks	Install specific identity management components--for example, Oracle Application Server Single Sign-On, Oracle Delegated Administration Services, and Oracle Application Server Certificate Authority
Privileges this group can delegate to components	Read, compare, or reset the user password Proxy as the end-user Read, compare, or modify the user's certificate and SMIME certificate
Administrators	Oracle Internet Directory super user Oracle Context Administrator Owners of this group
DN	cn=Trusted Application Admins,cn=groups, Oracle_Context_DN