Overview of Delegated Administration Role Hierarchy

Roles are dynamic classifications of users who meet specific requirements, such as membership in a group, matching user profile property values, and time of day. A role is used to determine whether to grant or deny access to resources, and to determine which capabilities on those resources are available to the user. The role hierarchy defines the structure for Delegated Administration.

The root Delegated Administration role is defined in the Portal Resource tree as Administrators. Any user mapped to this predefined role has unlimited administrative access in the administration portal. Only a user with global administrative rights can change the definition of this root Delegated Administration role.

You have flexibility in the way you set up your administration hierarchy and assign rights to your various administrators. You can create different levels of administrators, each with varying degrees of access. You can also create administrators that can, in turn, delegate administration tasks to other users.

WebLogic Portal includes a default system administrator. The system administrator has unlimited access to administrative tasks anywhere within the enterprise portal application. You can create as many different administrators as you need by creating administrator roles and then assigning specific users, user groups, or user characteristics.

Parent Roles and Child Roles

Delegated Administration roles allow you to determine portal resources that an administrator can access and what administrators can do to those resources. A child role has a subordinate relationship to another role (parent) and is used to determine who can delegate to whom. That is, sub-roles are children in the sense that files are children of directories. A user in a role can only delegate to its sub-roles, providing a way to restrict Delegated Administration.

For example:

• RoleA can delegate to :
  • Role1
  • Role2
  • Role3 can delegate to:
    • Role 3.1
    • Role 3.2
• RoleB can delegate to:
  • Role4
  • Role5
  • Role6

The user in Role A may not delegate to the sub-roles of Role B as a "peer" role. Role A may delegate to any of its descendants. Child roles do not inherit the traits of the parent role. If you delete a child role, you are removing it from the system.

Note: When you are establishing your role hierarchy, keep in mind that child roles within a Delegated Administration role must be unique. For example, you cannot have a Delegated Administration role called RoleA with a child role of RoleB if you already have a child role called RoleB elsewhere in the hierarchy.

Related Topics:

• Overview of Delegated Administration
• Assign Users and Groups to a Delegated Administration Role
• Assign Portal Resources to a Delegated Administration Role
• Assign Interaction Management Resources to a Delegated Administration Role
• Assign Delegated Administration of Content Management Resources
• Overview of Portal Resources
• How Do I Set Up a New Administrator?
• How Do I Entitle Users to See Specific Parts of My Portal?