Identity Manager uses authorization types during access checks when comparing the caller’s capabilities against an object’s authorization type. When an authorization type extends an existing repository type, access control follows the implied ’inheritance’ change. Specifically, if an administrator has rights on the parent type, he has the same rights on the child type. However, if an administrator has rights on the child type, but no rights on the parent, then the administrator can access objects of the child type only.
For example, consider the following authorization types, administrators and objects:
Authorization settings:
Configuration (repository type) <AuthType name=’Fruit’ extends=’Configuration’/> <AuthType name=’Vegetable’ extends=’Configuration’/>
Rights are assigned as follows:
AdminA (has Right.VIEW on Configuration)
AdminB (has Right.VIEW on Fruit)
AdminC (has Right.VIEW on Vegetable)
ObjectA of type Configuration, no authtype
ObjectB of type Configuration, authtype == Fruit
ObjectC of type Configuration, authtype == Vegetable
The preceding authorization settings determine the following access privileges on the specified objects:
AdminA can view ObjectA, ObjectB and ObjectC
AdminB can view ObjectB only
AdminC can view ObjectC only