Delegated Administration
By default, Service Provider implements the organization-based authorization model. In order to grant more fine grain capabilities and scope of control on Service Provider users, the admin role-based authorization model can be enabled using Service Prover user Admin Roles.
For more information about enabling admin Role-based delegated administration, see Business Administrator's Guide.
A User Admin Role may be configured to evaluate several rules to determine the scope of control, capabilities, and dynamic assignment to a user:
-
Scope of Control rules
Capabilities rule
Assign to Users rules
-
Assign To Service Provider User Rule
Sample rules are located in the $WSHOME\sample\rules\adminRoleRules.xml file.
User Search Context Rule
A User Search Context rule is evaluated when searching for Service Provider users. It returns a valid LDAP distinguished name (DN). This DN serves as the base context for searching users. The authType for the rule must be set to SPEUsersSearchContextRule .
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.
runAsIDMXUser— The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.
User Search Filter Rule
The User Search Filter rule is evaluated when searching for Service Provider users. It returns an LDAP-compliant filter string that will be logically ANDed with the user’s search filter when listing Service Provider users. The authType for the rule must be set to SPEUsersSearchFilterRule.
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.
runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.
After Search Filter Rule
The After User Search Filter rule is evaluated when searching for Service Provider users. It runs after the initial search is performed against the Service Provider user directory. It returns a list of objectIds the requesting user is allowed to list and view.
This type of rule can be used to determine whether a user should be in the requesting user’s scope of control. To accomplish this, the rule can reference non-LDAP user attributes, such as LDAP group membership. The rule can also be used when the filter decision needs to be made using a repository other than the Service Provider user directory, such as an Oracle database or RACF.
The authType of this rule must be SPEUsersAfterSearchFilterRule.
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.
runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.
objectType — Specifies the type of object, such as IDMXUser, that the rule filters.
objectIds — Specifies a list of objects the rule filters.
conditions — Specifies a list of AttributeConditions.
Capabilities Per User Rule
In the context of a Service Provider user Admin Role, capabilities specify which capabilities and rights the requesting user has on the Service Provider user for which access is being requested. The Capabilities Per User rule is evaluated when a request is made to view, create, modify, or delete an Service Provider user. It must be specified as a rule with authType CapabilitiesOnSPEUserRule.
The list of capabilities returned from the rule can include both existing Identity Manager capability names (such as “Service Provider Create User”) and Identity Manager right names (such as “Modify” and “Execute”).
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — The User view of the user the rule will run as. This is a null argument if runAsIDMXUser is specified.
runAsIDMXUser — The IDMXUser view of the user the rule will run as. This is a null argument if runAsUser is specified.
object — Specifies the name of an object, if an object exists. Otherwise, null.
objectType — Specifies the type of object, such as IDMXUser, that the rule filters.
object.identity — Specifies the DN of the Service Provider user on which the request is being made.
object.attributes — Defines a map of attribute name/value pairs of the Service Provider user on which the request is being made. Sample name/value pairs include sn=Smith and cn=gsmith .
Assign To User Rule
Service Provider user Admin Roles can be dynamically assigned to Identity Manager users by specifying an Assign to User rule. This rule is evaluated at login time to determine whether to assign the authenticating Identity Manager user the AdminRole. The authType of this rule must be UserIsAssignedAdminRoleRule .
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsUser — Retrieves the User view of requesting user.
The output is a string or boolean true if the authenticating user should be assigned this AdminRole. Otherwise, false or null should be returned.
Assign To Service Provider User Rule
Service Provider User AdminRoles can be dynamically assigned to Service Provider users by specifying an Assign to Service Provider User rule. This rule is evaluated at login time to determine whether to assign the AdminRole to the authenticating Service Provider user. The authType of the rule must be SPEUserIsAssignedAdminRoleRule.
The rule is passed the following arguments:
context — Specifies current user’s Identity context (session).
runAsIDMXUser — Retrieves the IDMXUser view of requesting user.
The output is a string or boolean true if the authenticating user should be assigned this AdminRole. Otherwise, false or null should be returned.
- © 2010, Oracle Corporation and/or its affiliates