The End User organization provides a convenient way for administrators to make certain objects, such as resource and roles, available to end-users. End-users can view and potentially assign designated objects to themselves (pending an approval process) using the end-user interface (Logging in to the Identity Manager End-User Interface).
The End User organization was introduced in Identity Manager Version 7.1.1.
Previously, in order to grant end-users access to Identity Manager configuration objects, such as Roles, Resources, Tasks, and so on, administrators had to edit configuration objects and use End User Tasks, End User Resources, and End User authTypes.
Going forward, Sun recommends using the “End User” organization to give end-users access to Identity Manager configuration objects.
The End User organization is implicitly controlled by all users, and enables them to view several types of objects, including tasks, rules, roles, and resources. Initially, however, the organization has no member objects.
The End User organization is a member of Top and cannot have child organizations. In addition, the End User organization is not displayed in the Accounts page list. When editing objects (such as Roles, AdminRoles, Resources, Policy, Tasks, and so on), however, you can make any object available to the End User organization using the Administrator user interface.
When end-users log in to the end-user interface, the following happens:
End-users are granted control of the EndUser organization (ObjectGroup).
Identity Manager evaluates the built-in End User Controlled Organization rule, which automatically gives the user control of any organization names that are returned by the rule. (This rule was added in Identity Manager Version 7.1.1. See the The End User Controlled Organization Rulesection for more information.)
End-users are granted rights to the object types specified in the EndUser capability.
The input argument to the End User Controlled Organization rule is the authenticating user’s view. Identity Manager expects the rule to return one or more organizations that the user logging in to the End User interface will control. Identity Manager expects the rule to return either a string (for a single organization) or a list (for multiple organizations).
To manage these objects, users need the End User Administrator capability. Users who are assigned the End User Administrator capability can view and modify the contents of the End User Controlled Organization rule. These users can also view and modify the object types specified in the EndUser capability.
The End User Administrator capability is assigned to the Configurator user by default. Any changes made to the list or to organizations returned by the evaluation of the End User Controlled Organization rule will not be reflected dynamically for logged in users. These users must log out and then log in again to see the changes.
If the End User Controlled Organization rule returns an invalid organization (for example, an organization that does not exist in Identity Manager), the problem will be logged in the System Log. To correct the problem, log in to the Administrator user interface and fix the rule.