Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0 Part Number E10360-03 |
|
|
View PDF |
As an administrator, you use user groups to create and manage the records of a collection of users to whom you want to permit access to common functionality, such as access rights, roles, or permissions.
User groups can be independent of an organization, span multiple organizations, or contain users from a single organization.
Using user groups, you can:
Designate the menu items that the users can access through the Administrative and User Console.
Assign users or subgroups to the user groups.
Designate status to the users so that they can specify defined responses for process tasks.
Make modifications and request permissions for data objects.
Designate group administrators to perform actions on groups, such as enabling members of another user group to assign members to the current user group.
Designate provisioning policies for a user group. These policies determine if a resource object is to be provisioned to or requested for a member of the user group.
Assign or remove membership rules to or from the user group. These rules determine which users can be assigned to the user group.
Oracle Identity Manager provides three default user groups:
System Administrators
Operators
All Users
You can modify the permissions associated with the default user groups. You can also create additional user groups.
Members of the system administrators user group have full permission to create, edit, and delete records in Oracle Identity Manager, except for system records. These users can control the permissions of other users, change the status of process tasks even when the task is not assigned to them, and administer the system from the highest level.
Members of the Operators user group have access to the Organizations, Users, and Task List forms. These users can perform a subset of functions on these forms.
Members of the All Users user group have minimal permissions, including the ability to access the user's own user record. By default, each user belongs to the All Users user group.
This chapter discusses the following topics:
Note:
A user cannot be removed from the All Users group.
A user group, SELF OPERATORS, is added to Oracle Identity Manager by default. This user group contains one user, XELSELFREG, who is responsible for modifying user permissions for performing self-registration in the Administrative and User Console.
Oracle recommends that you do not modify the permissions associated with the SELF OPERATORS group and do not assign users to this group.
When you first create a new user group, the Group Detail page shows the group name. You can add information to a user group by using the Additional Detail menu as described in "Managing Groups".
To create a user group:
In the left navigation pane, click User Groups, and then click Create. The Create User Group page is displayed.
Enter the name of the user group in the Name field.
Click Create. The Group Detail page is displayed.
Click Edit to modify the Group Name. Alternatively, click Delete to delete the user group.
You can find user groups, add information to them, and perform other administrative functions for user groups.
This section discusses the following topics:
To search for a user group:
In the left navigation pane, click User Group, then click Manage.
The Manage Group page is displayed.
Select Group Name from the menu, then enter a value in the field next to the menu.
You can use the asterisk (*) as a wildcard character to query for all user groups.
Click Search.
The results page is displayed. In this page, you can view and delete user groups.
To delete a user group:
Search for a group as described in "Searching for User Groups".
Select the Delete check box next to the group you want to delete, then click Delete.
The Confirmation page is displayed.
Click Confirm Delete to complete the deletion of this user group, or click Cancel.
After selecting the user group that you want to view, you can view the following details about the selected user group:
You can assign a user or a subgroup to a group. The Assign Users and Assign Sub-groups options are similar in functionality. In the following procedure, the Assign Users subgroup is used as an example.
To assign users to a group:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
From the additional details box, select Members and Sub-Groups.
The Members and Sub-Groups page is displayed.
Click Assign Users.
Click Search Users to display a list of user names, or click Clear.
The results table is displayed.
To increase or decrease the priority of a member, click the option associated with the member in the Increase/Decrease Priority column of the results table, and then click Increase or Decrease.
To remove a member of the group, click the option for the member in the Remove column of the results table, and then click Remove Member.
Select the appropriate option for the user ID, and then click Assign.
The Confirmation page is displayed with the user ID names that you have just selected.
If you want to proceed with the user assignment, then click Confirm Assigns.
Otherwise, click Cancel.
The Menu Items search criteria display all menu items that are permitted for the user group. The Menu Items option lets you assign a new menu item for the user group.
To assign menu items to a user group:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Menu Items.
The Menu Items page is displayed.
Click Assign Menu Items.
The Assign Menu Items page is displayed.
Select the appropriate options for the menu items, and then click Assign.
The Confirmation page is displayed.
If you want to proceed with the menu assignment, then click Confirm Assign.
Otherwise, click Cancel.
The Result table is displayed with the menu items permitted for this user group. This page also lets you delete the menu items that you do not want to permit.
To delete a menu item, select the option for the menu item, and then click Delete.
The menu item is no longer associated with this user group.
You can view all administrative groups associated with a user group. In addition, you can:
Assign an administrative group
Create a new administrative group
Update the permissions for the administrative group
Assigning an Administrative Group
To assign an administrative group:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Administrative Groups.
The Administrative Groups page is displayed.
Click Assign Administrative Groups.
The Assign Administrative Groups page is displayed. This page displays all the administrative groups available to be associated with the user group.
Select the appropriate option for the administrative group and respective permission settings for write and delete accesses, and then click Assign.
The Confirmation page is displayed.
Click Confirm Assign, or click Cancel.
The Result table is displayed with the administrative group that can administer the user group.
Creating an Administrative Group
To create a new administrative group:
Search for a group as described in "Searching for User Groups", and then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Administrative Groups.
Administrative Groups page is displayed.
You can create a new administrative group for this user group by clicking Create New Group.
The Step 1: Assign Administrators page of the Assign Administrators Wizard is displayed.
Select the option for the user or users that you want to be in this new administrative group, and click Add.
The User Login names appear in the Selected list.
Click Continue, or click Back or Exit to end the wizard.
The Step 2: Specify Alias page is displayed.
Enter an alias name for the new administrative group, and then click Continue.
Otherwise, click Back to go to the previous page or Exit to end the wizard.
The Step 3: Specify Permissions page is displayed. By default, the option for Read permission is selected.
Select the option for the Write or Delete permission, and then click Continue.
The Step 4: Verify Delegation Information page is displayed.
This page displays the alias of the administrative group, the users who belong to this administrative group, and the permissions for the group.
To modify this administrative group, click Change.
Clicking Change brings you back to the appropriate wizard page where you can make modifications. Otherwise, click Continue.
The Administrative Groups page is displayed.
To update group permissions:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Administrative Groups.
The Administrative Groups page is displayed.
To update the permission for the administrative groups associate with the user group, click Update Permission.
The Update Permissions page is displayed.
This page displays the administrative group names and permissions for write and delete access.
To change the permission setting for an administrative group, click the options for Write Access and Delete Access, then click Update to make the modifications.
Otherwise, click Cancel.
The Confirmation page is displayed. This page displays the administrative group names that you have updated.
If this page contains the correct names, click Confirm Update.
Otherwise, click Cancel.
The Administrative Groups page is displayed.
The updated administrative group or groups are displayed with their modified write or delete access permissions.
To delete an administrative group, select the option for the group name, and then click Delete.
You can display all available access policies for this user group and assign and delete access policies for the user group.
To assign access policies to a user group:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Access Policies.
The Access Policies page is displayed.
To assign a new access policy, click Assign.
The Assign Access Policies page is displayed.
This page displays the policy name and brief description of the policy.
Select the option for access policy for the user group, then click Confirm Assign.
Otherwise, click Cancel.
The Confirmation page is displayed.
To assign the access policy, click Confirm Assign.
Otherwise, click Cancel.
The Access Policies page is displayed.
To delete this access policy, select the option for the policy, and then click Delete.
You can display all available membership rules for this user group, assign a new membership rule for the user group, and delete membership rules.
To work with membership rules:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Membership Rules.
The Membership Rules page is displayed.
To assign a new membership rule, click Assign Rules.
The Assign Membership Rules page is displayed. This page displays the name of the membership rule.
Select the option for the membership rule for this user group, then click Confirm Assign.
Otherwise, click Cancel.
The Confirmation page is displayed.
To assign the membership rule, click Confirm Assign.
Otherwise, click Cancel.
The Membership Rules page is displayed.
To delete this membership rule, select the option for the membership rule, and then click Delete.
Most permissions in Oracle Identity Manager concern data objects. You can define data objects as an internal object representation of tables in the Oracle Identity Manager data model. In this model, the business logic is executed and responsible for inserting, updating, and deleting data from the data store. Permissions for these actions are defined at a group level. Depending on the table or data objects, these permissions can be categorized into the following:
Explicit Insert/Update/Delete Permission Required
Data objects for which explicit insert, update, or delete permission is required are the ones for which you must specify the insert, update, or delete permission by using Permissions from the Group Details list in Oracle Identity Manager Administrative and User Console to create, modify, and delete entities of these data objects.
Consider the following example: A user belongs to multiple groups and a data object is assigned to both of these groups. Suppose you want to delete an entity of this data object type. To be able to do so, you must ensure that both groups have update permission on the data object.
Table 10-1 lists the data objects listed in this category and the entities of these data objects.
Table 10-1 Data Objects Requiring Explicit Insert/Update/Delete Permissions
Data Object Type | Entities |
---|---|
com.thortech.xl.dataobj.tcACS |
Organization.Lnk_Act_Svr |
com.thortech.xl.dataobj.tcADL |
Adapter Factory Logic/SetVariable tasks |
com.thortech.xl.dataobj.tcADM |
Adapter Factory Input/output parameters |
com.thortech.xl.dataobj.tcADP |
Adapter Definitions |
com.thortech.xl.dataobj.tcADS |
Adapter Factory Stored Procedure tasks |
com.thortech.xl.dataobj.tcADT |
Adapter Tasks |
com.thortech.xl.dataobj.tcADU |
Adapter Factory WebServices tasks |
com.thortech.xl.dataobj.tcADV |
Adapter Factory Variables |
com.thortech.xl.dataobj.tcAPA |
Attestation Process Administrators |
com.thortech.xl.dataobj.tcARS |
Adapter Statuses |
com.thortech.xl.dataobj.tcATP |
Adapter Factory Parameter Task Table |
com.thortech.xl.dataobj.tcDAV |
Data Object Adapter Variable |
com.thortech.xl.dataobj.tcDVT |
Event handlers associated with data objects |
com.thortech.xl.dataobj.tcEMD |
Email Definitions |
com.thortech.xl.dataobj.tcERR |
Error Message Definitions |
com.thortech.xl.dataobj.tcEVT |
Event Handlers |
com.thortech.xl.dataobj.tcGPY |
User Group Properties |
com.thortech.xl.dataobj.tcLKU |
Lookup Definitions |
com.thortech.xl.dataobj.tcLKV |
Lookup values for a lookup |
com.thortech.xl.dataobj.tcOBA |
Resource object authorizers |
com.thortech.xl.dataobj.tcODF |
Object To Process Data Flow |
com.thortech.xl.dataobj.tcODV |
Resource object Events |
com.thortech.xl.dataobj.tcOOD |
Resource Objects Organization Object Dependencies |
com.thortech.xl.dataobj.tcOUD |
Resource Objects User Object Dependencies |
com.thortech.xl.dataobj.tcPDF |
Process Integration Data Flow Mappings |
com.thortech.xl.dataobj.tcPKH |
Package Hierarchy |
com.thortech.xl.dataobj.tcPOC |
Access Policies Child Table Data |
com.thortech.xl.dataobj.tcPOF |
Policy parent data |
com.thortech.xl.dataobj.tcPOG |
User groups defined on access policy |
com.thortech.xl.dataobj.tcPOL |
Access policy definition |
com.thortech.xl.dataobj.tcPOP |
Assigned Objects on access policies |
com.thortech.xl.dataobj.tcPRF |
Process Reconciliation Field Mappings |
com.thortech.xl.dataobj.tcPTY |
System Configuration |
com.thortech.xl.dataobj.tcPWP |
Policy Process Targets |
com.thortech.xl.dataobj.tcPWR |
Password Policies |
com.thortech.xl.dataobj.tcPWT |
Policy User Targets |
com.thortech.xl.dataobj.tcRAV |
Prepopulate Adapter Mappings |
com.thortech.xl.dataobj.tcRCA |
Reconciliation Matched Organizations |
com.thortech.xl.dataobj.tcRCH |
Reconciliation Event Action History |
com.thortech.xl.dataobj.tcRCP |
Reconciliation Event Processes Matched |
com.thortech.xl.dataobj.tcRCU |
Reconciliation Event Users Matched |
com.thortech.xl.dataobj.tcRCX |
Reconciliation Exceptions |
com.thortech.xl.dataobj.tcRES |
Adapter Factory Resources |
com.thortech.xl.dataobj.tcRGP |
Group Membership Rules |
com.thortech.xl.dataobj.tcRML |
Task Assignment Rules |
com.thortech.xl.dataobj.tcRPG |
Reports on user groups |
com.thortech.xl.dataobj.tcRUL |
Rules |
com.thortech.xl.dataobj.tcRUE |
Rule Element |
com.thortech.xl.dataobj.tcSDC |
User defined columns on system user-defined forms |
com.thortech.xl.dataobj.tcSDH |
Parent child hierarchy of user defined forms |
com.thortech.xl.dataobj.tcSDL |
Form Definition Version Label |
com.thortech.xl.dataobj.tcSDP |
Form Definition Properties |
com.thortech.xl.dataobj.tcSPD |
IT Resources Type Parameter Definition |
com.thortech.xl.dataobj.tcSRE |
Association between user defined columns and pre-populate adapters |
com.thortech.xl.dataobj.tcSRS |
IT Resource Link |
com.thortech.xl.dataobj.tcSUG |
IT Resources Administrators |
com.thortech.xl.dataobj.tcSVD |
IT Resources Type Definition |
com.thortech.xl.dataobj.tcTDV |
Process Event Handlers |
com.thortech.xl.dataobj.tcTLG |
System Log |
com.thortech.xl.dataobj.tcTSA |
Schedule Task Attributes |
com.thortech.xl.dataobj.tcTSK |
Scheduled Tasks |
com.thortech.xl.dataobj.tcUHD |
Users Objects History Details |
com.thortech.xl.dataobj.tcUPL |
User Defined Field Lookups |
com.thortech.xl.dataobj.tcUPT |
User Defined Field Values |
com.thortech.xl.dataobj.tcUPY |
System Configuration Users |
com.thortech.xl.dataobj.tcWIN |
Form Information |
Administrative Groups
These data objects do not use permissions that are defined using Permissions in the Group Details list of the Oracle Identity Manager Administrative and User Console. They follow administrator concepts in which you define certain groups as administrators. Table 10-2 lists these data objects and their permissions.
Table 10-2 Data Object Permissions for Administrative Groups
Data Object Type | Entities | Permissions |
---|---|---|
com.thortech.xl.dataobj.tcUSR |
Users |
Permissions for users are defined at the organization level. If you define a group as an administrator of an organization with read, write, and delete permissions, then users in this group are able to view user details, modify user details, or delete users. |
com.thortech.xl.dataobj.tcACT |
Organizations |
If you define a group as an administrator of an organization, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
com.thortech.xl.dataobj.tcUGP |
User Groups |
If you define a group as an administrator of another group, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
com.thortech.xl.dataobj.tcOBJ |
Resource Objects |
If you define a group as an administrator of a resource, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
com.thortech.xl.dataobj.tcAPD |
Attestation Process Definitions |
If you define a group as an administrator of an attestation process, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
com.thortech.xl.dataobj.tcQUE |
Administrative Queues |
If you define a group as an administrator of an administrative queue, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
com.thortech.xl.dataobj.tcTOS |
Process Definition |
If you define a group as an administrator of a process definition, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
The deletion of workflow definitions is not supported. |
com.thortech.xl.dataobj.tcSDK |
Form Designer |
If you define a group as an administrator of a form, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
The deletion of user-defined forms is not supported. |
com.thortech.xl.dataobj.tcSVR |
IT Resources |
If you define a group as an administrator of an IT resource, then the users of this group can perform the following actions based on the permissions assigned: With Read permissions:
With Write permissions:
With Delete permissions:
|
If you define a group as an administrator of any of the entities in Table 10-2 with read, write, and delete permissions, then the users in this group can view entity details, modify entity details, or delete entities.
Whenever an entity of the data object types listed in Table 10-2 are created by a user, the groups that the user belongs to are automatically defined as administrators of the newly formed entity with read, write, and delete permissions.
For example, user1 belonging to groups Group1 and Group2 creates an entity of type com.thortech.xl.dataobj.tcACT, which is an organization. Group1 and Group2 are automatically made administrators of this newly created organization with read, write, and delete permissions.
Explicit Permission Not Required
Data objects for which explicit permission is not required are the ones for which permissions do not need to be defined because either there are no permissions enforced or they simply follow parent data object permissions. Data objects that use parent data object permissions follow a simple paradigm that if a group has update permissions on a parent data object, the same group will have insert, update, and delete permissions on child data objects. Table 10-3 lists these data objects and their entities.
Table 10-3 Data Objects Not Requiring Explicit Permissions
Data Object | Description | Permission Type |
---|---|---|
Com.thortech.xl.dataobj.tcMEV |
Email definitions defined on task statuses |
Follows parent (TOS) permissions. |
Com.thortech.xl.dataobj.tcMIL |
Process task definitions |
Follows parent (TOS) permissions. |
Com.thortech.xl.dataobj.tcRSC |
Process task response codes |
Follows parent (TOS) permissions. |
Com.thortech.xl.dataobj.tcUNM |
Undo milestones |
Follows parent (TOS) permissions. |
Com.thortech.xl.dataobj.tcRPC |
Reconciliation Matched Processes Child Table |
No permission check. Always returns true. |
Com.thortech.xl.dataobj.tcAAD |
Organization Administrators |
Follows parent data object (ACT) permissions. |
Com.thortech.xl.dataobj.tcRCE |
Reconciliation events |
No permission check. Always returns true. |
Com.thortech.xl.dataobj.tcPCQ |
User Questions |
No permission check. Always returns true. |
Com.thortech.xl.dataobj.tcUSG |
Users in a group |
Follows parent data object (UGP) permissions. |
com.thortech.xl.dataobj.tcGPP |
Group administrators |
Follows parent data object (UGP) permissions. |
com.thortech.xl.dataobj.tcUWP |
User Groups.Navigation Tree Layout |
Follows parent data object (UGP) permissions. |
com.thortech.xl.dataobj.tcFUG |
User Defined Field Definition.Administrators |
Follows parent data object (SDK) permissions. |
com.thortech.xl.dataobj.tcMAV |
Process Data.Milestone.Adapter Variable |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcAtomicProcess |
Process Definition |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcATR |
Attestation Requests |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcEIF |
Export Import File history |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcCIH |
Connector Installation history |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcORR |
Reconciliation Action Rules |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcRRE |
Reconciliation User Matching Elements |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcRPW |
Password Policy Rules on resources |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcOBD |
Resource Object Dependencies |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcACP |
Objects allowed |
Follows parent data object (ACT) permissions. |
com.thortech.xl.dataobj.tcRCM |
Reconciliation Data Multi-Value |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcATD |
Attestation Task Data |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcOST |
Statuses defined on resource |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcEIS |
Export import history substitution |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcAPT |
Attestation Tasks |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcGCD |
Generic Connector Definition |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcDEP |
Process Task Dependencies |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcROP |
Process determination rules |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcGPG |
Sub groups |
Follows parent data object (UGP) permissions. |
com.thortech.xl.dataobj.tcSEL |
User Groups.Set Up Permissions |
Follows parent data object (UGP) permissions. |
com.thortech.xl.dataobj.tcQUM |
Queue Members |
Follows parent data object (QUE) permissions. |
com.thortech.xl.dataobj.tcQUG |
Queue Administrators |
Follows parent data object (QUE) permissions. |
com.thortech.xl.dataobj.tcMSG |
Milestone.Status.User Group |
This data object has been deprecated. |
com.thortech.xl.dataobj.tcPUG |
Process Integration.Administrators |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcOUD |
Resource Objects.User Object Dependencies |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcRQE |
Request Queues |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcRVM |
Recovery Milestones |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcOUG |
Resource Objects.Administrators |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcMST |
Process Definition.Tasks.Object Status |
Follows parent (TOS) permissions. |
com.thortech.xl.dataobj.tcRRT |
Reconciliation.User Matching Rule Element Properties |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcSVP |
IT Resource Properties table |
Follows parent (SVR) permissions. |
com.thortech.xl.dataobj.tcORF |
Resource Objects.Object Reconciliation Fields |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj.tcRCD |
Reconciliation Event Data |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcEIO |
Export and import objects |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcRRL |
Reconciliation Rules |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcRQC |
Requests.Comments for Requests |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcRCB |
Reconciliation Events.Unprocessed Data |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcPXD |
Proxy Definitions |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcEIH |
Export and import history |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcMAP |
Map Information |
Not using maps any more. |
com.thortech.xl.dataobj.tcORC |
Process Detail |
Permissions are given to all users group. |
com.thortech.xl.dataobj.tcSTA |
Process task status Definitions |
We do not allow define custom statuses on tasks. |
com.thortech.xl.dataobj.tcScheduleItem |
Process task instances |
Permissions are given to all users group. |
com.thortech.xl.dataobj.tcSCH |
Task instance information |
Permissions are given to all users group. |
com.thortech.xl.dataobj.tcOIO |
Requests Object Instance for Organization |
Users can never directly create these entities. |
com.thortech.xl.dataobj.tcOIU |
Requests Object Instance for User |
Users can never directly create these entities. |
com.thortech.xl.dataobj.tcOBI |
Requests.Object Instance |
Users can never directly create these entities. |
Com.thortech.xl.dataobj.tcREQ |
Requests |
No permission check for insert. Update and delete permissions are computed using the user relationship to request. |
com.thortech.xl.dataobj.tcRequestObject |
Request Object |
No permission check. Always returns true. |
com.thortech.xl.dataobj.tcDOB |
Data Objects |
OIM Users never create data objects. |
Thor.CarrierBase.tcACN |
Contacts.Organization Information |
Not used anymore. |
Thor.CarrierBase.tcAFM |
Adapter Factory.Form |
Not used anymore. |
Thor.CarrierBase.tcAHY |
Organization.Parent-Child |
Not used anymore. |
Thor.CarrierBase.tcCCG |
Contact.Organization Groups |
Not used anymore. |
Thor.CarrierBase.tcESD |
Structure Utility.Encrypted Columns |
No UI or APIs exposed to define data. |
Thor.CarrierBase.tcGSC |
Contact.Schedule Items |
Not used anymore. |
Thor.CarrierBase.tcGSI |
Schedule Items.User Groups |
Not used anymore. |
Thor.CarrierBase.tcPGP |
Process Integration.Request Permissions |
Not used anymore. |
Thor.CarrierBase.tcUDF |
User Defined Field Definition |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcAOA |
Adapter Factory.Open Adapter |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcOrganizationContact |
Organization.Contact Information |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcRPT |
Report Definition |
Not used anymore. |
com.thortech.xl.dataobj.tcRPP |
Report Parameters |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcUSC |
Task Instance.Contact Information |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcUserScheduleItem |
User Tasks |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcUSI |
Users.User Defined Tasks |
Not used anymore. |
com.thortech.xl.orb.dataobj.tcUSK |
Email Notification.USI.Contacts |
Not used anymore. |
com.thortech.xl.dataobj.tcAAG |
User Groups.Organization Members |
Not used anymore. |
com.thortech.xl.dataobj.tcORD |
Orders |
Not used anymore. |
com.thortech.xl.dataobj.tcRLO |
External JAR File Directory |
Not used anymore. |
com.thortech.xl.dataobj.tcAGS |
Organization.Contact groups |
Not used anymore. |
com.thortech.xl.dataobj.tcATS |
Organization.Services Per Organization |
Not used anymore. |
com.thortech.xl.dataobj.tcSGK |
System Generator Key Values |
Not used anymore. |
com.thortech.xl.dataobj.tcSRP |
Service Rate plan |
Not used anymore. |
com.thortech.xl.dataobj.tcSRS |
Service Rate plan |
Not used anymore. |
com.thortech.xl.dataobj.tcUDP |
User Defined Fields |
Not used anymore. |
com.thortech.xl.dataobj.tcUPD |
Users Objects Policy Details |
Users can never directly create these entities. |
com.thortech.xl.dataobj.tcUPP |
Users Objects Policy Profile |
Users can never directly create these entities. |
com.thortech.xl.dataobj.tcUPH |
Users Objects Policy History |
Users can never directly create these entities. |
com.thortech.xl.dataobj.tcRQU |
Request Object Target User Information |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRQA |
Request Target Organization Information |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRQO |
Request Object Information |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRIO |
Request Organizations Resolved Object Instances |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRIU |
Request Users Resolved Object Instances |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRQY |
Request Organizations Requiring Resolution |
Follows associated request permissions. |
com.thortech.xl.dataobj.tcRQZ |
Request Users Requiring Resolution |
Follows associated request permissions. |
com.thortech.xl.dataobj. tcUserProvisionObject |
User Provision Object |
Follows parent (OBJ) permissions. |
com.thortech.xl.dataobj. tcOrgProvisionObject |
Organization Provision Object |
Follows parent (OBJ) permissions. |
Com.thortech.xl.dataobj.tcMEV |
Email definitions defined on task statuses |
Follows parent (TOS) permissions. |
While assigning data objects or fine-grained permissions to groups, Oracle Identity Manager uses the following permission model:
Assigning a data object to a user without any insert/update/delete option results in an error.
To assign a data object to a group with, say insert and update permissions, a user who is logged in must have insert and update permissions on that data object.
In order to modify any data permission (insert/update/delete) on a group, a user who is logged in must have the same permissions on that data object.
To be able to delete a data object permission from a group, a user who is logged in must have insert and update permissions on the same data objects.
If a user who is logged in updates data object permissions that result in no permissions on a data object, the system automatically deletes that entry from the group.
Menu Items and Group Entitlements
Using Oracle Identity Manager, you can also assign permissions in the form and menu item levels. Form-level permissions can be assigned in the Design Console and menu item-level permissions can be assigned in the Administrative and User Console. However, assigning permissions on the forms or menu items does not automatically grant a user access to the entities associated with the forms or menu items (for example, if you grant permission to a user for the Manage Users menu item).
When the user logs in, the menu item will be visible. In addition, when you search for the users, you might not get any results because you might not be assigned permission to view users belonging to a certain group. This permission can be defined in the Administrative and User Console. To assign or remove a menu item or group entitlement, a user must have the corresponding menu item or group entitlement assigned to one of the groups to which he or she belongs.
You can list the reports that group members are allowed to run, and select reports for the group.
To work with reports permissions for a group:
Search for a group as described in "Searching for User Groups", then click the name of a group in the results table.
The Group Detail page is displayed.
From the additional details box, select Allowed Reports.
The Reports page is displayed.
To provide access to new reports for users, click Assign Reports.
The Assign Reports page is displayed. This page displays available report names and types.
Select the option for the report, and then click Assign, or click Cancel.
The Confirmation page is displayed.
To assign the report, click Confirm Assign.
The Reports page is displayed.
To delete a report, select the option for the report, and then click Delete.