In most companies, employees who perform administrative tasks hold specific responsibilities. Consequently, the account management tasks that these administrators can perform are limited in scope.
For example, an administrator might be responsible only for creating Identity Manager user accounts. With that limited scope of responsibility, the administrator likely does not need specific information about the resources on which user accounts are created, or about the roles or organizations that exist within the system.
Identity Manager can also restrict administrators to a specific tasks within a specific, defined scope.
Identity Manager supports the separation of responsibilities and a delegated administration model as follows:
Assigned capabilities limit administrators to specific job duties
Assigned controlled organizations restrict administrators to controlling only specific organizations (and the objects within those organizations)
Filtered views of the Create User and Edit User pages prevent administrators from viewing information that is not relevant to their job duties
You can specify delegations for a user from the Create User page when you set up a new user account, or when you edit a user account.
You can also delegate work items, such as requests for approvals, from the Work Items tab. For more information on delegations, see Delegating Work Items for details.