| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-06 |
|
|
View PDF |
| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-06 |
|
|
View PDF |
Oracle Identity Manager is a security product, and therefore, controls access to the application by the users to allow or prevent the users to perform various operations in the application. This is controlled by the authorization engine embedded in Oracle Identity Manager with the help of authorization policies. The authorization policies determine at runtime whether or not a particular action is allowed. You can define authorization policies that satisfy the authorization requirements within Oracle Identity Manager.
In earlier releases of Oracle Identity Manager, each Oracle Identity Manager feature defines and manages its own authorization policy UI and backend implementation. In Oracle Identity Manager 11g Release 1 (11.1.1), authorization policy management is centralized as an administrative feature. Oracle Identity Manager's authorization policy management and enforcement engine is now based on an embedded version of Oracle Entitlements Server (OES), Oracle's industry-leading fine-grained entitlements administration product. These authorization policies secure access control to the Oracle Identity Manager application, thereby defining "who can do what" inside the application. This centralized definition of authorization policies continues to provide context-sensitive authorizations for each feature as explained in the following sections:
You can define and manage authorization policies in the Authorization Policies section of the Oracle Identity Administration. This section is available to users who have the Manage Authorization Policies privilege.
The following are the structural components of an authorization policy:
Identifying details: Each authorization policy must have a name and description.
Oracle Identity Manager feature: Each authorization policy is defined for a specific feature in Oracle Identity Manager. Features are well-defined components in Oracle Identity Manager such as user management and role management. The authorization requirements of multiple features cannot be covered by a single authorization policy.
Assignee: This is the role or roles that a policy grants privileges to. You can grant privileges to one or more roles for each policy. All members of the role (direct or indirect through inheritance) are granted the privileges by the authorization policy. For the user management feature, a rule based on the manager relationship is supported. Here, all the users that are in the management chain of the user being acted on are the assignees of the authorization policy.
Note:
For information about inheritance of role membership, see Chapter 12, "Managing Roles".
Authorization policies cannot be assigned to a set of users that are defined by attribute filtering, which is defining a criteria on the attributes to select users. If such assignment is needed, a role must be defined for this set of users.
Assignee can include additional conditions that must be fulfilled by the assignee. This is a way of making the authorization policy context aware. For example, for the user management feature, a condition can state that for the assignee to have the privileges, the assignee must be a member of the same organization listed in the data security.
Functional security: This section lists the privileges that the assignees are granted. The list of privileges is defined by the feature for which this policy is being defined. For example, the user management feature defines privileges such as Search for Users, View User Detail, and Modify User Profile. For a complete list of privileges for the user management feature, see "Privileges".
Some privileges also support fine-grained attribute-level controls that define which specific entity attributes of the feature are further granted to the assignee. For instance, for the View User Detail privilege, the policy can further define which of the attributes on the user entity can be viewed by the assignee at run time. Not all privileges support attribute-level details. For example, the Delete User privilege does not require or support any attribute-level details.
Data security: This section lists the entities managed by the feature over which a privilege is granted to the assignee. This section is optional based on whether or not the feature for which the authorization policy is being defined supports data security. The data security is expressed in the form of an entity selection criteria or a search criteria that is used to determine the entities over which the privilege is granted. The data security can also be a list of specific entities. The data security capabilities depend on the feature. For instance, the criteria can specify that the assignee is granted privileges over the users belonging to a list of organizations. This criteria can provide additional security settings that apply to the data security. For example, in the user management feature, an instruction can be that the organization condition applies down the hierarchy so that users in the specified organization and all child organizations are in scope for this data security policy.
Using the Administrative and User Console, you can perform the following tasks related to authorization policies:
Note:
Creation, modification, or deletion of authorization policies does not come into effect immediately, but takes approximately 5 to 10 seconds to come into effect.You can perform simple or quick search and advanced search operations for existing authorization policies. These operations are described in the following sections:
To perform simple search for authorization policies:
Login to the Administration console with credentials that have the Manage Authorization Policies privilege.
In the left pane, click Authorization Policy tab.
Verify that Policy is selected in the lookup.
In the text box, enter a search criteria for authorization policies.
Click the Search icon. You can include wildcard characters (*) in your search criterion. For performance reasons, initial (prefix) wildcards will be removed. However, a trailing (prefix) wildcard will be added to all searches.
Note:
Authorization policy search is case sensitive, so you must ensure proper case while entering search criteria.To perform advanced search for authorization policies:
In the Welcome page, under Authorization Policies, click Advanced Search - Authorization Policies. Alternatively, you can click the Authorization Policy tab, and then click Advanced Search link on the left pane. The Advanced Search page is displayed.
Select any one of the following options:
All: On selecting this option, the search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
Any: On selecting this option, the search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Policy Name field, enter the authorization policy name that you want to search. To do so, select a search comparator in the list adjacent to the Policy Name field. The default search comparator is "Contains". Other comparators are available in the pulldown list as an alternative.
In the Role Name field, enter the name of the role to which the policies are assigned. You can use wildcard characters in your search criteria. Select a search condition in the list adjacent to the Role Name field.
In the Entity Type field, select the entity type for whom the authorization policies are defined.
Click Search. The search results are displayed in the search results table.
Oracle Identity Manager Administration allows you to create custom authorization policies for the following Oracle Identity Manager components:
Role Management
Authenticated Self Service User Management
User Management
This section describes authorization policy creation for user management and role management features in the following topics:
To create an authorization policy for user management:
Login to Oracle Identity Manager Administration console.
Note:
You must be a member of the System Administrators role to create, modify, delete, search authorization policies.On the Welcome page, under Authorization Policies, click Authorization Policy. Alternatively, you can you can click the Authorization Policy, and then click the Create New Policy icon on the toolbar. The Basic Policy Information page of the Authorization Policy wizard is displayed.
Note:
In the Basic Policy Information page of the Create Policy wizard, only the Basic Policy Information, Policy Settings and Confirmation Nodes are shown at the top of the page. The other Nodes of the wizard are dynamically generated based on your selection in the Entity Name field.In the Policy Name field, enter the name of the authorization policy.
In the Description field, enter a description of the authorization policy.
In the Entity name field, select the name of the feature for which you want to create the authorization policy. To create an authorization policy for user management, select User Management.
Click Next. The Permissions page is displayed. In this page, you can select permissions that you want to enable in the authorization policy.
In the Permissions table, select the check boxes in the Enable column. If you want to enable all permissions for the authorization policy, then select Enable All Permissions at the top of the table.
To modify the permissions with attribute-level settings, you can click Edit Attribute.
Click Next. The Data Constraints page of the Authorization Policy wizard is displayed.
In this page, options for the feature selected on the Entity Name field in step 1 are displayed.
Select one of the following:
All Users: Select this option to specify all the users in Oracle Identity Manager for which the authorization policy is created.
Users that are members of selected Organizations: Select this option to specify organizations for whose members you want to create the authorization policy.
If you select the Users that are members of selected Organizations option, then you must specify one or more organizations. To do so:
Click Add Organization. The Add Organization dialog box is displayed.
Click the Search icon to display the list of organizations in the Available Organizations list.
From the Available Organizations list, select one or more organizations, and then click the Move or Move All buttons to move the selected organizations to the Organizations to Add list.
Click Save. The selected organizations are added in the table in the Data Constraints page.
Under Organization Security Setting, select Hierarchy Aware (include all child organizations) to specify that the authorization policy is applicable to users who are members of all the child organizations of the selected organizations.
Click Next. The Assignment page of the Authorization Policy wizard is displayed.
Under Assign by Rule, select Management Chain of User to assign the direct and indirect managers of the user to the authorization policy.
To assign roles to the authorization policy:
Click Add. The Assign Roles dialog box is displayed.
Click the Search icon to display the list of roles in the Available Roles list.
From the Available Roles list, select one or more roles, and then click the Move or Move All buttons to move the selected roles to the Organizations to Add list.
Click Save. The selected roles are added to the table in the Assignment page.
Note:
To remove a role from the table in the Assignment page, click Remove.Under Assignment Security Setting, select Assignee must be a member of the User's Organization to specify that the authorization policy is to be applied only for the users that are members of the same organization in which the policy is applied.
Click Next. The Confirmation page of the Authorization Policy wizard is displayed with details specified in the steps of the wizard.
Click Finish. The authorization policy is created.
To create an authorization policy for Oracle Identity Manager role management feature:
Login to Oracle Identity Manager Administration console.
On the Welcome page, under Authorization Policies, click Create New Policy. Alternatively, you can:
Click the Authorization Policy tab, and then click the Authorization Policy icon on the toolbar.
From the Actions menu, select Create.
The Basic Policy Information page of the Authorization Policy wizard is displayed.
Note:
In the Basic Policy Information page of the Create Policy wizard, only the Basic Policy Information, Policy Settings and Confirmation Nodes are shown at the top of the page. The other Nodes of the wizard are dynamically generated based on your selection in the Entity Name field.In the Policy Name field, enter the name of the authorization policy.
In the Description field, enter a description of the authorization policy.
In the Entity Name field, select an entity name based on the authorization feature you want the assignee to have. To create an authorization policy for role management, select Role Management.
Click Next. The Permissions page is displayed.
Select the permissions that you want to enable for the authorization policy. To select all permissions, select Enable All Permissions at the top of the table.
Click Next. The Data Constraints page is displayed.
Select any one of the following options::
All Roles: To specify that the authorization policy is applicable to all roles in Oracle Identity Manager including all the child roles.
Selected Roles: To specify that the authorization policy is applicable to selected roles only.
The roles selected in the Data constraint page are roles on which action is to be performed.
If you select the Selected Roles option, then you must select the roles for which the authorization policy is been created. To do so:
Click Add Role. The Assign Roles dialog box is displayed.
Click the Search icon to display all roles in the Available Roles list.
Select the roles for which you want to apply the authorization policy.
Click the Move or Move All buttons to move the roles to the Roles to Assign list.
Click Save. The selected roles are added to the Data Constraints page of the Authorization Policy wizard.
To remove a selected role from the Data Constraints page:
Select the role, and then click Remove. A message box is displayed asking for confirmation.
Click OK to confirm.
In the Data Constraints page, under Role Security Setting, select Hierarchy Aware (Include all Parent Roles) to specify that the authorization policy is applicable to Roles, which are added as parent Roles.
Click Next. The Policy Assignment page is displayed. In this page, you can add and remove roles as described in steps 10 and 11.
Roles selected in the Policy Assignment page are roles whose direct and indirect members will perform the action based on the policy.
Click Next. The Confirmation page is displayed with Basic Policy Information and details about permissions, data constraints, and assignments.
Click Finish. The authorization policy is created.
You can create an authorization policy by using the general, permissions, data constraints, and assignment information from another authorization policy already existing in Oracle Identity Manager. To do so:
Search for the authorization policy from which you want to use information to create another policy.
Select the policy. From the Actions menu, select Create Like. The Authorization Policy wizard is displayed.
In the Basic Policy Information page, edit the Policy Name, Description, and Entity Name fields to specify new values.
Perform the steps to complete the wizard as described in "Creating Custom Authorization Policies".
You can view and modify authorization policies, and change the general information, permissions, data constraints, and assignments of the authorization policies. To do so:
Note:
The options for authorization policy modification changes dynamically based on the entity type selected for the policy. In this procedure, the example of an authorization policy for role management is used.In the Authorization Policy tab of the Administration Console, in the left pane, search for authorization policies. The policies matching the search criteria are displayed in the search results table.
Click an authorization policy. Alternatively, you can select an authorization policy, and from the Actions menu, select Open. The page that allows you to view and modify authorization policy details is displayed. The General tab of the page is displayed by default, with details about the policy name, description, entity name, permissions, data constraints, and assignment.
Edit the Policy Name and Description fields to update the authorization policy name and description.
Note:
You cannot change the entity name of an authorization policy after the policy is created.Click the Permissions tab. In this tab, you can check the permissions that you want to enable in this policy. To do so, select the permissions from the table, or select Enable All Permissions to enable all permissions.
Some permissions have attribute-level settings. To modify the attribute-level settings, click Edit Attributes.
Click the Data Constraints tab. In this tab, you can modify the roles that the user must be a member of for this authorization policy.
Select any one of the following options:
All Roles: To specify that the authorization policy is applicable to all roles in Oracle Identity Manager including all the child roles.
Selected Roles: To specify that the authorization policy is applicable to selected roles only.
If you select the Selected Roles option, then you must select the roles for which the authorization policy is been created. This tab also allows you to remove selected roles. To add or remove roles, perform the steps described in steps 10 or 11 respectively of "Creating an Authorization Policy for Role Management".
Select Hierarchy Aware (include all Parent Roles) to specify that all the parent roles of the selected roles must be selected for the authorization.
Click the Assignment tab. This tab displays the roles that are assigned to this policy.
You can add or remove the assignment by performing steps 10 or 11 respectively of "Creating an Authorization Policy for Role Management".
Click Apply to save changes.
Alternatively, click Revert to refresh the page with old values.
See Also:
"Disabling Access to Features Through the Authorization Policies" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about disabling or hiding features by using authorization policiesTo delete an authorization policy:
In the Authorization Policy tab of the Administration Console, search for the authorization policy that you want to delete.
Select the policy. From the Actions menu, select Delete. A message box is displayed asking for confirmation.
Click OK to confirm deletion.
This section describes the authorization policy components for the following Oracle Identity Management features:
The components of the authorization policies defined for the user management feature and the default authorization policy are described in the following sections:
The assignee of the policy can be a set of roles. The policy is assigned to each role in the set of policies. In addition, a rule for selecting the management chain of the user being managed as an assignee is supported. There is no ability to restrict this to just the direct manager of the user being managed.
The Assignee must be a member of security setting restricts the grant to the users who are also members of the organizations or roles being granted privileges over. If assignee belongs to multiple organization hierarchies, then a match to at least one organization hierarchy must provide the grant.
Multiple privileges are defined for the user management feature such as Search for Users and View User Detail. For a complete list of privileges for the user management feature, see "Privileges".
The following privileges support the fine-grained attribute-level controls, in which the user is able to select the specific attributes applicable to that operation:
View User Detail
Modify User Profile
The list of attributes are based on the list of attributes defined for the user entity.
For the user management feature, data security is defined as the list of organizations whose members the assignee has privileges over. The set of users being managed by the authorization policy cannot be specified by attribute filtering.
If the Hierarchy Aware option is selected, then the organization and role hierarchies are taken into account when determining the data security.
There are two default authorization policies for the user management feature. Users are not allowed to modify or delete these policies. Any User Management policy that provides the "Search User" permission should also provide the "View User Details" permission. The "View User Details" permission should include the User Login, Account Status, Identity Status, Full Name, and Display Name attributes. If these attributes are not provided, the user might not be fully viewable or editable.
The following table lists the default authorization policy details for user management:
| Policy Name | Assignee | Functional Security | Data Security |
|---|---|---|---|
| User Management Administration Policy: | System Administrators and Identity User Administrators roles | The permissions include:
Change User Password Create User Delete User Evaluate Access Policies Modify OIM Account Status Modify User Profile Modify User Proxy Profile Modify User Status Provision Resource to User Search User View User Details View User Requests Note: The Modify User Profile and View User Details have associated attribute settings. For both the permissions, the attribute setting is All Attributes. |
All Users organization
Assignee must be a member of the User's Organization: No Hierarchy Aware: Yes |
| User Management Search Policy: Allows Request Template and Approval Policy Administrators to search based on GUID and User Login | Request Template Administrators, Request Administrators, Approval Policy Administrators, and Reconciliation Administrators roles | The permissions are:
Search Users View User Details: This has associated attribute settings. They are: Display Name, First Name, Full Name, GUID, Last Name, Organization, and User Login |
All Organizations
Assignee must be member of the User's Organization: No Hierarchy Aware: Yes |
| User Management All Users Policy | ALL Users role | The permission is:
View User Details: This has associated attribute settings. They are: Display Name, First Name, Full Name, GUID, Last Name, Organization, and User Login |
All Organizations
Assignee must be member of the User's Organization: No Hierarchy Aware: Yes |
Authorization policies are used to control the following areas of authenticated self service:
The attributes displayed on the My Profile page of Oracle Identity Manager Self Service are controlled by using the VIEW_USER_DETAILS and MODIFY_USER_DETAILS privileges from the Self Service User Management OES authorization policies. If multiple policies are applicable, then the list of attributes on which the user has permissions is a union of the attributes determined by individual policies.
By default, the All Users and System Administrators roles have permissions to view and modify a set of attributes. The All users and System Administrators roles have permissions to view the following attributes:
Email, Display Name, First Name, Last Name, Locale, Middle Name, Telephone Number, Time Zone, User Login, Manager, Identity Status, and Account Status
The All users and System Administrators roles have permissions to modify the following attributes:
Email, Display Name, First Name, Last Name, Locale, Middle Name, Telephone Number, Time Zone, and User Login
If the user has view and modify privileges for an attribute, then the attribute is displayed as editable on the My Profile page. If the attribute has view permission only, then it is displayed as read-only. The request to modify self profile is submitted by using the Modify Self Profile request template. The request dataset for this request template is the same as that for the Modify User request template. This request template is configurable.
See Also:
Chapter 14, "Creating and Searching Requests" for detailed information about requests models, request templates, and request datasetsTo display additional attributes on the user's profile:
Create a custom self service authorization policy with view and/or modify user profile permission having default or custom additional attributes. See "Creating Custom Authorization Policies" for information about creating custom authorization policies.
Assign the custom authorization policy to the All Users and System Administrators roles because the administrator user does not have All Users role by default.
If the additional attribute is set to modify user profile permission in the policy, then update the request dataset for the Modify Self Profile, that is, ModifyUserDataset.xml to include the attribute. The entry in dataset is made for the attribute to be rendered on the Modify Self Profile page.
Note:
Ensure that the additional attribute has the visible property set.There is no permission defined for requesting and viewing roles as self service operations. However, while requesting for roles, only those request templates are displayed that the user is authorized to access. The request management feature controls this. While searching for roles during the request operation, the user is allowed to select from only those roles that the user is authorized to search and view. This is controlled by role management policies.
The user can request for all the roles for which the user has search permission. This is controlled by general authorization policy defined by role management. While creating a request for a role, the user must search and select the roles.
The roles available for the user in the list of roles on the Request Roles page are the result of intersection of the roles provided in the request template and roles that the user has search permission for. For example, if the request template has roles Role1, Role2, and Role3 and the user has search permission on Role2 and Role3, then Role2 and Role3 are displayed in the list of roles. Similarly, if the user has search permission over Role1, Role2, and Role3 and the request template has roles Role2 and Role3, then Role2 and Role3 are displayed in the list of roles.
There is no permission defined for requesting and viewing resources as self service operations. However, for requesting and viewing resources, the resource must be configured so that self requesting for that resource is allowed. This is done by selecting the Self Request Allowed option in the Resource Objects form in Oracle Identity Manager Design Console.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about the Resource Objects form in Oracle Identity Manager Design ConsoleTo add, modify, and remove proxy operations, authorization checks are required in the authenticated self service APIs along with a new MODIFY_SELF_USER_PROXY_PROFILE privilege in the default authorization policy for self service user management. The authenticated self service API first checks for this privilege. If the user is authorized to perform the proxy operation, then the authenticated self service API calls the corresponding APIs for user management.
See Also:
Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about Oracle Identity Manager APIsThe Modify Self User Proxy Profile permission is required to allow adding, modifying, and removing proxies.
The default authorization policy defined for the authenticated user self service feature is Self Service User Management All Users Policy, which allows users with the System Administrator role and All Users to access some of the self service user management operations. The policy has the following components::
Assignee: The policy defines what privileges the assignee users have for managing their profile after logging into Oracle Identity Manager Self Service. However, roles-based assignee allows you to define different self-service policies for different roles, thereby restricting the self-service capabilities for these roles. For example, you define Policy1 that grants all self-service privileges to members of the Employee role.
Functional Security: The authenticated user self service feature defines the following permissions:
View User Details
Modify User Profile
Modify Self User Proxy Profile
The Modify User Profile and Modify Self User Proxy Profile permissions support fine-grained attribute level controls, in which the user is able to select the specific attributes that apply to that operation.
Data Security: None
The components of the authorization policies defined for the role management feature and the default authorization policy for this feature are described in the following sections:
The assignee of the policy can be a role or a set of roles.
Multiple privileges are defined for the role management feature. The privileges do not support fine-grained attribute-level controls.
For the role management feature, data security is defined as the list of roles the assignee will have privileges over.
The Assignee Must Be Member of condition restricts the grant to assignees that are also members of the role being granted privileges over.
The Hierarchy Aware setting takes the role hierarchies into account when determining the data security.
The default authorization policy defined for this feature cannot be modified or deleted by users. The policies are describes in the following table:
| Policy Name | Assignee | Functional Security | Data Security |
|---|---|---|---|
| Role Management Administration Policy | System Administrators and ROLE ADMINISTRATORS roles | The permissions are:
Create Role Create Role Category Delete Role Delete Role Category Modify Role Modify Role Category Modify Role Hierarchy Modify Role Membership Search for Role Search for Role Categories View Role Category Detail View Role Detail View Role Membership |
All Roles |
| Role Management All Users Policy | ALL USERS role | The permissions are:
Search for Role Search for Role Categories View Role Detail View Role Category Detail |
All Roles, in which the authorization is applied to users belonging to roles
Selected Roles, in which you can select the roles that the user must be a member of for this authorization |
| Role Management Role Owner Policy | ALL USERS role | The permissions are:
Delete Role Modify Role Modify Role Hierarchy Modify Role Membership Search for Role Search for Role Categories View Role Category Detail View Role Detail View Role Membership |
All Roles that the assignee is the owner of.When a user creates a role, the person with the role created will become the role owner. |
| Role Management Approval and Request Policy | APPROVAL POLICY ADMINISTRATORS, REQUEST TEMPLATE ADMINISTRATORS roles, and REQUEST ADMINISTRATORS roles | The permissions are:
Search for Role Search for Role Categories View Role Category Detail View Role Detail |
All Roles |
| Role Management Delegated Administration Policy | ROLE ADMINISTRATORS role | The permissions are:
Modify Role Membership Search for Role Search for Role Categories View Role Category Detail View Role Detail View Role Membership |
All Roles |
| Role Management Hierarchy Administration Policy | ROLE ADMINISTRATORS role | The permissions are:
Modify Role Modify Role Hierarchy Search for Role Search for Role Categories View Role Category Detail View Role Detail View Role Membership |
All Roles |
Access to the authorization policy management feature is controlled by a default authorization policy. This policy grants the users who belong to the System Administrators role to perform authorization policy operations, such as searching authorization policies, and creating, modifying, and deleting custom authorization policies.
Note:
The delete or disable action is controlled by feature specific UI code, which calls AuthorizationService API to find out whether the user is allowed to perform that action. If the user has the permission, then under Action list on the left pane of the UI, the user can see Delete or Disable options enabled.
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.
The details of the default authorization policy for this feature is the following:
Policy Name: Authorization Management Administration Policy
Assignee: System Administrators role
Functional security: The supported permissions are:
Create Authorization Policies
Delete Authorization Policies
Modify Authorization Policies
Search Authorization Policies
These privileges do not support fine-grained attribute-level controls.
Data security: This authorization policy does not support any data security. Anybody with the privileges to manage authorization policies can manage any and all authorization policies.
The default authorization policy for the user management configuration feature allows users with the System Administrators and USER CONFIGURATION ADMINISTRATORS roles to access all user management configuration operations. This policy has the following details:
Policy name: User Management Configuration Administration Policy
Assignee: System Administrators and USER CONFIGURATION ADMINISTRATORS roles
Functional security: The permissions are:
Add Category
Add Derived Attributes
Create Attribute
Delete Attribute
Delete Category
Set Search Attributes
Set Search Attributes
Update Attribute
Update Category
These permissions do not support fine-grained attribute-level controls.
Data security: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.
When the user is authorized to view all attributes on the pages to create and modify users, if an UDF is created through User Management Configuration, then the UDF is displayed in the pages to create and modify users.
The components of the authorization policies defined for the reconciliation management feature and the default authorization policy for this feature are described in the following sections:
The assignee of the policy can be a role or a set of roles.
The reconciliation management feature defines multiple privileges from the authorization policy management area. These privileges do not support fine-grained attribute-level controls.
This authorization policy does not support any data security. A user with the privileges to manage reconciliation events can manage all reconciliation events.
The following table lists the default authorization policies for the reconciliation management feature:
| Policy Name | Assignee | Functional Security | Data Security |
|---|---|---|---|
| Reconciliation Management Administration Policy | SYSTEM ADMINISTRATORS and RECONCILIATION ADMINISTRATORS roles | The permissions include:
Assign Bulk Action Create Act Create User Link Act Link User Search View Event Details These permissions do not support fine-grained attribute-level controls. |
None |
| Reconciliation API Policy | SYSTEM ADMINISTRATORS and RECONCILIATION ADMINISTRATORS roles | The permissions are:
Create Reconciliation Event Delete detected Accounts Get Missing Accounts Ignore Event Link Event to Resource for user Link Event to User Process Reconciliation Event These permissions do not support fine-grained attribute-level controls. |
None |
The default authorization policy for the scheduler feature allows users with the System Administrators and SCHEDULER ADMINISTRATOR roles to access all scheduler operations. This policy has the following details:
Policy Name: Scheduler Administration Policy
Assignee: System Administrators and SCHEDULER ADMINISTRATOR roles
Functional security: The permissions are:
Job Create
Job Delete
Job Disable
Job Enable
Job Filter
Job Modify
Job pause
Job Resume
Job run now
Job Search
Job stop
Reset Status
Scheduler Search
Scheduler Start
Scheduler Stop
Trigger Create
Trigger Delete
Trigger Modify
These permissions do not support fine-grained attribute-level controls.
Data security: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.For creating requests by using request templates, an authorization policy is created for each request template that is created. These authorization policies can be viewed but cannot be modified.
Each request template can be associated with a set of roles. Only the users that are members of any of these roles are able to create requests using that request template. Therefore, for each request template, Oracle Identity Manager generates a corresponding authorization policy. For each default request template, Oracle Identity Manager generates a corresponding authorization policy by default.
The default authorization policy for creating requests by using request template allows users with the REQUEST TEMPLATES ADMINISTRATORS role to access all operations related to request templates. The policy has the following details:
Policy name: Request Template Administration Policy
Assignee: REQUEST TEMPLATE ADMINISTRATORS role
Functional security: The permissions are:
Create
Delete
Modify
Search
These permissions do not support fine-grained attribute-level controls.
Data security: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.The default authorization policy for the approval policy management feature allows users with the APPROVAL POLICY ADMINISTRATORS role to access all approval policy management operations. This policy has the following details:
Policy name: Approval Policy Management Policy
Assignee: APPROVAL POLICY ADMINISTRATORS role
Functional security: The permissions are:
Create
Delete
Modify
Search
These permissions do not support fine-grained attribute-level controls.
Data security: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.The default authorization policy for the notification management feature allows users with the NOTIFICATION TEMPLATE ADMINISTRATORS role to access all notification management operations. This policy has the following details:
Policy Name: Notification Management Administration Policy
Assignee: System Administrators and NOTIFICATION TEMPLATE ADMINISTRATORS roles
Functional security: The permissions are:
Add Locale
Create
Delete
Filter
Lookup
Modify
Remove Locale
Search
These permissions do not support fine-grained attribute-level controls.
Data security: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.The default authorization policy for the system properties feature allows users with the System Administrators and SYSTEM CONFIGURATION ADMINISTRATORS roles to access all operations related to system properties. This policy has the following details:
Policy name: System Properties Administration Policy
Assignee: System Administrators and SYSTEM CONFIGURATION ADMINISTRATORS roles
Functional security: The permissions include:
Create
Delete
Filter
Lookup
Modify
Search
These permissions do not support fine-grained attribute-level controls.
Data Constraints: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.The default authorization policy for the Diagnostic Dashboard feature allows users with the System Administrators role to access the diagnostic dashboard. This policy has the following details:
Policy name: Diagnostic Dashboard Policy
Assignee: System Administrators role
Functional security: The Manage Failed Tasks permission without any fine-grained attribute-level controls
Data constraints: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.The default authorization policy for the Plug In feature allows users with the PLUGIN ADMINISTRATOR role to register unregistered policies. This policy has the following details:
Policy name: Plugin Administrator Policy
Assignee: PLUGIN ADMINISTRATOR and SYSTEM ADMINISTRATOR role
Functional security: The permissions are:
Register Plug In
Unregister Plug In
These permissions do not support fine-grained attribute-level controls.
Data constraints: None
Note:
Authorization policies are for Oracle Identity Manager account users. Other users can only view it on UI, but cannot modify.
|
 Copyright © 1991, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
