4.1 Understanding Administrator Roles

After you complete the installation, Access Manager has a set of pre-defined roles that you can assign to administrators, such as the Access Manager System Administrator.

See About Oracle Access Management Administrators.

You can assign the following to Access Manager system administrators:

  • All Application and component policy objects (including Resources, Authentication Policies, Authorization Policies, and Token Issuance Policies)

  • Shared components (including Authentication Schemes, Host Identifiers, and Resource Types)

  • System configuration (including Common Configuration, Access Manager settings and Authentication Modules, Security Token Service Settings, Custom Tokens, Endpoints, Templates and Profiles, and Access Manager Agents and Security Token Service Partners)

  • Agents and partners

A System Administrator can grant the rights to administer an Application Domain to an Application (Domain) Administrator. (A virtual Access Manager Administrator group is defined and mapped to the Application Administrator role.) An Application Administrator can further delegate the rights to administer one or more of their Application Domains to other Application Administrators. An Application Administrator can create and edit Resources, Authentication Policies and Authorization Policies. These rights are scoped to one or more Application Domains.


Only the System Administrator can assign roles to users; users cannot further delegate that role to others.

The System Administrator, Application Administrator and Help Desk Administrator roles are mutually exclusive; that is, a group or user can be assigned to only one such administrator role. However, the Application Administrator and Agent Administrator roles can be assigned to the same user or group.

Table 4-1 documents details about the pre-defined administrator roles.

Table 4-1 Roles for Delegating Administration

Role Name Description

System Administrator

Access to entire Oracle Access Management Console including policy creation and system configuration; encompasses the privileges to manage all system configurations, policy objects, Access Manager Settings, Agents, Authentication Modules, Authentication Schemes, Host Identifiers, Resource Types, Federation Partners and Enterprise Single Sign-on policies. Additionally, Security Token Service Settings, Partners, Custom Tokens, Endpoints, Templates and Profiles can be managed.

NOTE: The System Administrator does not support seamless failover. If one server goes offline, the System Administrator can re-login and continue on the other server(s) in the cluster.

Application Administrator

Access to policy creation and resources in the specified Application Domain. This role has access to the Application Registration Quick Wizard link.

Help Desk Administrator

Access to the Help Desk console.

Agent Administrator

Access to the Agent configuration pages. This role has access to the Agent Registration Quick Wizard link.

Authenticated User

Access to the Self Service Launch Pad and pages.

See Oracle Access Management Console and the Policy Manager Console.

See Understanding the Oracle Access Management Console.