Managing Administration Roles

19.1 About Administration Roles in Oracle Identity Governance

Administration Roles feature of Oracle Identity Governance is used to control the actions that users can perform on other Oracle Identity Governance objects.

The authorization engine embedded in Oracle Identity Governance with the help of authorization policies facilitates this control. The purpose of authorization policies is to control user's access to Oracle Identity Governance application, which includes data, UI, and API. The authorization policies determine at runtime whether or not a particular action is allowed. Authorization policies can be defined that satisfy the authorization requirements within Oracle Identity Governance.

In Oracle Identity Governance, authorization policy management is centralized as an administrative feature. The Managing Admin Role feature of Oracle Identity Governance provides flexibility to create new admin roles and select the capabilities for the admin roles. You can select multiple capabilities from different entities. Oracle Identity Governance will hold the mapping of capabilities to admin roles. You can also define membership rule on user-assignment to admin roles.

Note:

Admin Roles should not be confused with roles, which are used to control user's access to external resources.

System Administrator having capability to manage admin roles will be allowed to publish the admin roles. They would publish the admin roles to organization and then the users from those organizations or having the manage-admin-roles capability on those organizations would be able to manage the admin roles.

19.2 Introducing Admin Roles

An Admin Role defines the actions, also known as functional capabilities, that can be performed and the scope of control (the scope of control refers to the set of organizations managed by the admin role).

Multiple admin roles can be assigned to a single administrator. This enables an administrator to have one set of capabilities in one scope of control, and a different set of capabilities in another scope of control. For example, one admin role might grant the administrator the right to create and edit users for the controlled organizations specified in that admin role. A second admin role assigned to the same administrator, might grant only the change user passwords right in a separate set of controlled organizations as defined in that admin role.

Admin roles enable the reuse of capabilities and scope-of-control pairings. Admin roles also simplify the management of administrator privileges across a large number of users. Instead of directly assigning capabilities and controlled organizations to individual users, admin roles should be used to grant administrator privileges.

There are two predefined admin roles in Oracle Identity Manager:

System Administrator, that is the Oracle Identity Manager System Administrator role with all privileges.
Catalog System Administrator, that is the role with privileges to manage all catalog items.

Note:

Role catalog attributes can be edited from the Roles page only and requires additional privilege.

19.3 Understanding the Admin Role Attributes

The Admin Role Capability, Scope of Control, and Publication are the attributes that are configured for an admin role.

This section describes about admin role attributes in the following topics:

19.3.1 About Admin Role Capability

Capabilities represent administrative functions with Oracle Identity Manager. Capabilities are collections of fine-grained actions. For example, the Create User capability consists of two actions - Create User and View/Search User. Capabilities cannot be created and they cannot be assigned directly to users. Users are assigned capabilities using Admin Roles. Multiple capabilities can be assigned to an admin-role and capabilities can be selected from multiple entities. Capabilities will control on what a person is allowed to do or request for themselves and others.

Tip:

See Table B-1 for list of default capabilities which can be used while creating Admin Roles.

Oracle Identity Manager supports an additional level of granularity while granting the ability to modify or view users and their profiles through Denied Attributes. Administrators can specify which attributes cannot be modified or seen as part of assigning the Modify User or View/Search User capability.

Note:

If an attribute is marked as denied for View/Search, it should also be marked as denied for the Modify User capability.

Mandatory attributes and System generated attributes like Status, Display name, User Login and so on cannot be included in denied attributes list.

Users will not be allowed to perform any operation on behalf of home organization peers, such as, viewing user account or entitlements, request for roles or accounts and so on. Users need to be granted specific admin roles capabilities so that they can do any of the admin operations.

19.3.2 About Admin Role Scope of Control

Oracle Identity Manager allows you to control which users are within an admin's scope of control. Using Scope of Control, administrator can specify organizations that the members of the admin role can manage.

19.3.3 About Admin Role Publication

Oracle Identity Manager allows you to make the Admin Role available to organizations. Once the admin role has been published to these organizations, the organization administrators can grant them to other users. This helps in standardizing delegated administration and encourages reuse of admin roles.

19.4 Searching Admin Role

Use the Admin Roles page to perform simple and advanced search for admin roles.

To search for Admin Role you can perform one of the following:

19.4.1 Performing Basic Search for Admin Role

To perform basic search:

Log in to Identity Self Service.
Click the Manage tab, click Administration Roles box. The Admin Roles page is displayed.
To perform basic search, select any one of the following search criteria from the Search drop-down and click Search Admin Role icon:
- Display Name
- Description
- Name
It lists the Admin Roles that match the selected Search Criteria.

19.4.2 Performing Advanced Search for Admin Role

To perform advanced search:

Log in to Identity Self Service.
Click the Manage tab, click Administration Roles box. The Admin Roles page is displayed.
Click Advanced link. Advance Admin Roles search page is displayed.
Select any one of the following Match options:
- All: Search is performed with the AND condition. This means that the search operation is successful only when all the search criteria specified are matched.
- Any: Search is performed with the OR condition. This means that the search operation is successful when any search criterion specified is matched.
In the Display Name field, enter the display name search attribute that you want to search. To do so, select a search comparator. The default search comparator is Starts With. Equals, Ends with, Does not equal, Contains, and Does not contain comparators are available in the list as an alternative.
In the Description and Name field, enter the appropriate values and the comparators required.
To add a field in your search:
1. Click Add Fields, and select a field, such as Description or Name.
2. Enter value for the search attribute that you added.
If you want to remove a field that you added in the search, then click the cross icon next to the field.
To reorder the search element list, click Reorder. A Reorder Search Fields tab opens. Select the search element that has to be reordered and rearrange it using the arrow keys. Click OK.

The order in which search elements are listed is modified accordingly.
Click Search. The results are displayed in the search results table.

19.5 Creating an Admin Role

Oracle Identity Manager provides flexibility to create new admin roles and select the capabilities for the admin roles. You can select multiple capabilities from different entities.

To create an Admin Role:

In Identity Self Service, click the Manage tab, click Administration Roles box. The Admin Roles Search page is displayed.
From the Actions menu, select Create. Alternatively, click Create on the toolbar. The Create Admin Role page is displayed.
In the Basic Information tab, enter Name, Display Name, and Description details and click Next. The Capabilities tab is displayed.

Name is the only mandatory field and admin role name should have only alphabets and should not have numbers and space.
In the Capabilities tab, click Add Capabilities. Add Capabilities panel is displayed.

To add Capabilities:
1. Search for Capabilities by using search criteria as Display Name, Description, or Entity Name and click the Search icon. The search operator can be combined with wildcard characters to specify a search condition. The percentage sign (%) character is used as a wildcard character.
  
  Capabilities matching the search criteria are listed. The list has Name of capability, Description, and Attribute.
  
  Note:
  
  If the capability is a User Modify or View Search capability, then attribute column will show a link. To set an attribute as denied attribute, click this link. Attribute panel is displayed. From the list of attributes, select the attributes to be marked as denied attributes and click OK.
  
  Mandatory attributes and System generated attributes like Status, Display name, User Login and so on cannot be included in denied attributes list.
2. From the list of Capabilities, select the required capability and click Add Selected or to add all the listed capabilities click Add All.
3. If you want to deselect any capabilities from Selected Capabilities list click Remove Selected or Remove All options.
4. Click Select. Assign Capabilities Panel lists the Capabilities selected in Add Capability.
Click Next. The Members tab is displayed.
In the Members tab, you can assign users (static assignment) and create membership rules (dynamically assignment).

Note:

For member assignment, scope of control is mandatory.

To create membership rules:
1. Click Create Membership Rule to open the User membership rules for role tab.
2. In the Expression Builder tab, under Attributes tab, select an attribute, such as Country, and then click Add. The attribute is added to the expression builder for which you can specify a value. In addition, the Literals tab is displayed.
3. In the Value field, enter a value for the selected attribute, such as US, and then click Add. The value is added to the expression builder. The expression for the membership rule specifies that users with Country as US will be members of the selected admin role.
4. Click Save. The Members tab is displayed with the membership rule added in the User Membership Rule section.
  
  Member Assignment tab displays the list of members matching the membership rule.
  
  Direct Members: This section displays the members that are statically assigned to the open role.
  
  Rule Based Members: This section displayed the members that are assigned to the open role via membership rules.
  
  All Members: This section displays all the members, direct and rule based which are assigned to the open role.
5. In case you want to evaluate the rule later, select Evaluate Rule Later check box. The rule can be evaluated later by running the Refresh Admin-Role Memberships scheduled task. If Evaluate Rule Later check box is not selected then, the rule is evaluated when the Admin Role is created.
To assign static users:
1. Click Assign. The Assign Users search dialog box is displayed.
2. Search for Users by using appropriate search criteria and click the Search icon. The search operator can be combined with wildcard characters to specify a search condition. The percentage sign (%) character is used as a wildcard character.
  
  Users matching the search criteria are listed.
3. From the list of users select the required user and click Add Selected or to add all the listed users click Add All.
  
  If you want to deselect any capabilities from Selected users list click Remove Selected or Remove All options.
4. Click Select. The Members tab is displayed with the assigned users in the Member Assignment section.
Click Next.The Scope of Control tab is displayed.
You can specify the organizations that this admin role can manage.

To do so, click Add Organizations. Add Organization tab is displayed.
1. Search for Organizations by using search criteria as Organization Name, Type, Organizations Status, or Parent Organization Name and click the Search icon.
  
  The search operator can be combined with wildcard characters to specify a search condition. The percentage sign (%) character is used as a wildcard character. Organizations matching the search criteria are listed.
2. From the list of Organizations, select the required organization and click Add Selected or to add all the listed organizations click Add All.
  
  If you want to deselect any organization from Selected Organization list click Remove Selected or Remove All options.
3. Click Select. The Scope of Control tab is displayed with the organizations in the Scope of Control section.
Click Next. The Organizations tab is displayed.
You can publish the admin role to one or more organizations.

To do so, click Add Organizations. Add Organization tab is displayed.
1. Search for Organizations by using search criteria as Organization Name, Type, Organizations Status, or Parent Organization Name and click the Search icon.
  
  The search operator can be combined with wildcard characters to specify a search condition. The percentage sign (%) character is used as a wildcard character. Organizations matching the search criteria are listed.
2. From the list of Organizations, select the required organization and click Add Selected or to add all the listed organizations click Add All.
  
  If you want to deselect any organization from Selected Organization list click Remove Selected or Remove All options.
3. Click Select. The Organizations tab is displayed with the organizations in the Organizations section.
Click Next.The Summary tab is displayed.
Summary tab lists all the information entered in the previous steps. Click Finish. This creates the new Admin Role.

19.6 Viewing and Modifying Admin Role

You can open the details of an admin role and edit the basic information, the capabilities, the members, the scope of control, and, the organizations.

To open the details of a role and modify it, perform one of the following:

In the Search Admin Roles page, search and select the admin role that you want to edit. From the Actions menu, select Open. Alternatively, click Open on the toolbar.
In the search results table of the Search Admin Roles page, click the Open Admin Role icon beside admin role name.
The details of the Admin role is displayed in a new page. Modify Admin role information in the following tabs of this page:
1. Basic Information Tab
  
  The Basic Information tab displays the Admin role attributes. Except for the Admin Role Name field (which is a read-only field), the rest of the fields in this tab are same as available in the Create Admin Role page. Other fields that can be modified in this tab are Display Name and Description.
  
  To modify the Admin role attributes, change the values in the fields, and click Apply.
2. Capabilities Tab
  
  The Capabilities tab displays the Capabilities the Admin role is assigned. You can add new capabilities or remove capabilities from the existing list.
  
  To add new Capabilities, click Add. Add Capabilities page is displayed. For adding capabilities refer to steps in Creating an Admin Role.
  
  To remove an existing Capability, select the capability in the list and click Remove. Click Apply.
3. Members Tab
  
  The Members tab displays the User Membership Rules and Member assignment for the Admin role.
  
  To edit Rule, click Edit Rule. For steps refer to Creating an Admin Role .
  
  To delete rule, click Delete Rule.
  
  To add new Users, click Assign. For steps refer to Creating an Admin Role.
  
  Click Apply.
4. Scope of Control Tab
  
  The Scope of Control tab allows you to specify the organizations that this admin role can manage.
  
  To assign more Organization, click Assign. For steps refer to Creating an Admin Role.
  
  To remove an organization from the list, select the organization and click Revoke. Click Apply.
5. Organizations Tab
  
  The Organization tab allows you to publish the admin role to one or more organizations.
  
  To assign more Organization, click Assign. For steps refer to Creating an Admin Role.
  
  To remove an organization from the list, select the organization and click Revoke. Click Apply.

19.7 Deleting Admin Role

Delete the admin roles that are not required or are not in use.

To delete an Admin Role:

In the Search Admin Roles page, search and select the admin role that you want to Delete.
From the Actions menu, select Delete. Alternatively, click Delete on the toolbar. A warning message is displayed to confirm deletion of the Admin Role. Click Delete.

19.8 Controlling End User Actions

Admin Roles are used to control the actions that a user can perform on other users and objects. To control the actions that an end-user can perform on themselves, administrators need to configure Self Service Capabilities.

For more information on Self Service Capabilities, see "Managing Self Service Capability Policy" in the Administering Oracle Identity Governance.