1. Performing Self Service Tasks with Oracle Identity Governance
  2. Functional Capabilities

B Functional Capabilities

The authorization model provides flexibility to create a new Admin role and select the capabilities for these Admin roles. This is possible with the use of Admin role capabilities and self capabilities.

This appendix provides the list of Admin Role capabilities and the list of Self capabilities.

B.1 List of Authorization Functional Capabilities

The Authorization Functional Capabilities list provides the different admin role capabilities that a new admin role can be assigned with.

This section provides the list of admin role capabilities in Table B-1.

Table B-1 Authorization Functional Capabilities

Functional Type Functional Capability Description Implied Capabilities

Admin Role

AdminRole - Create

Allows a User to create an Admin Role

Create Admin Role

View or Search Admin Roles

Assign Capabilities

Assign Admin Role Members

Set Organization Scope of Control

Publish Admin Role to Organization

Admin Role

AdminRole - Modify

Allows a User to modify an Admin Role

Modify Admin Role Attributes

View or Search Admin Roles

Assign Capabilities

Assign or Unassign Admin Role Members

Set Organization Scope of Control

Publish Admin Role to Organization

Admin Role

AdminRole - Delete

Allows a User to delete an Admin Role

Delete Admin Role

View or Search Admin Roles

Admin Role

AdminRole - View/Search

Allows a User to view and search for Admin Roles

View or Search Admin Roles

View Capabilities

View Admin Role Members

View Organization Scope of Control

View Organizations Published To

Role

Role - Create

Allows a User to create a Role

Create Role

Assign Role Hierarchy

Assign Access Policy

Assign Role Members

Publish Role to Organization

Role

Role - Modify

Allows a User to modify a Role

Modify Role Attributes

Assign or Unassign Role Hierarchy

Assign or Unassign Access Policy

Assign or Unassign Role Members

Publish Role to Organization

Role

Role - Delete

Allows a User to delete a Role

Delete Role

View or Search Role

Role

Role - View / Search

Allows a User to view and search for Roles

View or Search Role

View Role Hierarchy

View Role Members

View Role Access Policy

View Organizations Published To

User

User - Create

Allows a User to create another User

Create User

View or Search User

User

User - Modify

Allows a User to modify another User

Modify User Attributes

View or Search User

Request, Remove, or Modify Roles

View Direct Reports

View AdminRoles

User

User - Delete

Allows a User to delete another User

Delete User

View or Search User

User

User - Enable

Allows a User to enable another User

Enable User

View or Search User

User

User - Disable

Allows a User to disable another User

Disable User

View or Search User

User

User - Lock

Allows a User to lock an Oracle Identity Manager Account

Lock User

View or Search User

User

User - Unlock

Allows a User to unlock an Oracle Identity Manager Account

Unlock User

View or Search User

User

User - Change Password

Allows a User to change another User's password

Change User Password

View or Search User

User

User - View/Search

Allows a User to search for and view Users and their details

View or Search User

View Roles

View Direct Reports

View Admin Roles

User

User - View Requests

Allows a User to search for requests

View User Requests

View or Search Users

Relationships

Provision Accounts

Allows a User to provision Accounts, including start and end dates, on another User

Request Account

View or Search User

View or Search Accounts

Modify Accounts

Relationships

Deprovision Accounts

Allows a User to deprovision Accounts on another User, including setting end dates

Remove Account

View or Search User

View or Search Accounts

Modify Accounts

Relationships

Modify Provisioned Accounts

Allows a User to modify another User's provisioned Account, including start and end dates

Modify Accounts

View or Search User

View or Search Accounts

Relationships

Enable Provisioned Accounts

Allows a User to enable Account of another User

Enable Account

View or Search User

View or Search Accounts

Relationships

Disable Provisioned Accounts

Allows a User to disable Account of another User

Disable Account

View or Search User

View or Search Accounts

Relationships

Change Provisioned Account Password

Allows a User to change Account password for another User

Change Account Password

View or Search User

View or Search Accounts

Relationships

View Provisioned Accounts

Allows a User to see another User's provisioned Accounts

View or Search User

View or Search Accounts

Relationships

Grant Account Entitlements

Allows a User to grant Entitlements, including start and end dates, for another User

Request Entitlement

View or Search User

View or Search Account

View or Search Account Entitlement

Modify Entitlement

Relationships

Modify Account Entitlements

Allows a User to modify Account Entitlements for another User

Modify Entitlement

View or Search User

View or Search Account

View or Search Account Entitlement

Relationships

Revoke Account Entitlements

Allows a User to revoke Account Entitlements for another User, including setting end dates

Remove Entitlement

View or Search User

View or Search Account

View or Search Account Entitlement

Modify Entitlement

Relationships

View Account Entitlements

Allows a User to see another User's Entitlements

View or Search Account Entitlement

View or Search User

View or Search Account Entitlement

Password Policy

Password Policy - Create

Allows a User to create a Password Policy

Create Password Policy

View or Search Password Policy

Password Policy

Password Policy - Modify

Allows a User to modify a Password Policy

Modify Password Policy

View or Search Password Policy

Password Policy

Password Policy - Delete

Allows a User to delete a Password Policy

Delete Password Policy

View or Search Password Policy

Password Policy

Password Policy - View/Search

Allows a User to view and search for Password Policies

View or Search Password Policy
Proxy User

ProxyUser - View

Allows a User to view proxy for another User.

Note:

While creating a custom admin role to manage the proxies, apart from the ProxyUser - View, ProxyUser - Add, ProxyUser - Modify , ProxyUser - Delete capabilities, you need to add the User - View / Search capability to the admin role. This will ensure the admin user can view and search for the users to set as proxy.
 
Proxy User

ProxyUser - Add

Allows a User to add proxy for another User.

  
Proxy User

ProxyUser - Modify

Allows a User to modify proxy for another User.

  
Proxy User

ProxyUser - Delete

Allows a User to delete proxy for another User.

  

Organization

Organization - Create

Allows a User to create an Organization

Create Organization

View or Search Organization

View or Search User

View or Search Password Policy

Create Sub-Organization

Organization

Organization - Modify

Allows a User to modify an Organization

Modify Organization Attributes

View or Search Organization

Disable Organization

View Organization Members

Set User Membership Rule

View Available Roles

View Available Accounts

View Available Entitlements

Provision Accounts

Assign or Unassign AdminRoles

Organization

Organization - Delete

Allows a User to delete an Organization

Delete Organization

View or Search Organization

Organization

Organization - View / Search

Allows a User to view and search for Organizations

View or Search Organization

View Child Organizations

View Members

View Available Roles

View Admin Roles

View Provisioned Accounts

Organization

Organization - View Organization Members

Allows a User to see the members of an Organization

View Organization Members

View or Search Organizations

Organization

Organization - View Organization Published Entitlements

Allows a User to see the Entitlements published to an Organization

View Available Entitlements

View or Search Organizations

Organization

Organization - View Organization Published Application Instances

Allows a User to see the applications published to an Organization

View Available Accounts

View or Search Organizations

Identity Audit Policy

Identity Audit Policy - Create

Allows a User to create an Identity Audit Policy

Note:

Entity types IdentityAuditScanRun and IdentityAuditPolicyViolationCause are not supported in this release.

Create Identity Audit Policy

View or Search Identity Audit Policy

Assign or Unassign Identity Audit Rule

Create Identity Audit Scan Run

View Identity Audit Configuration

Identity Audit Policy

Identity Audit Policy - Modify

Allows a User to modify an Identity Audit Policy

Modify Identity Audit Policy

View or Search Identity Audit Policy

Assign or Unassign Identity Audit Rule

Create Identity Audit Scan Run

View Identity Audit Configuration

Identity Audit Policy

Identity Audit Policy - Delete

Allows a User to delete an Identity Audit Policy

Delete Identity Audit Policy

View or Search Identity Audit Policy

Identity Audit Policy

Identity Audit Policy - Enable

Allows a User to enable an Identity Audit Policy

Enable Identity Audit Policy

View or Search Identity Audit Policy

Identity Audit Policy

Identity Audit Policy - Disable

Allows a User to disable an Identity Audit Policy

Disable Identity Audit Policy

View or Search Identity Audit Policy

Identity Audit Policy

Identity Audit Policy - Assign Rule

Allows a User to assign Identity Audit Rules to an Identity Audit Policy

Assign Identity Audit Rule

View or Search Identity Audit Policy

Identity Audit Policy

Identity Audit Policy - Unassign Rule

Allows a User to unassign Identity Audit Rules from an Identity Audit Policy

Unassign Identity Audit Rule

View or Search Identity Audit Policy

Identity Audit Policy

Identity Audit Policy - View / Search

Allows a User to view an Identity Audit Policy

View or Search Identity Audit Policy

View Identity Audit Rule

Identity Audit Rule

Identity Audit Rule - Create

Allows a User to create an Identity Audit Rule

Create Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Rule

Identity Audit Rule - Modify

Allows a User to modify an Identity Audit Rule

Modify Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Rule

Identity Audit Rule - Delete

Allows a User to delete an Identity Audit Rule

Delete Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Rule

Identity Audit Rule - Enable

Allows a User to enable an Identity Audit Rule

Enable Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Rule

Identity Audit Rule - Disable

Allows a User to disable an Identity Audit Rule

Disable Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Policy

Identity Audit Rule - View/Search

Allows a User to view an Identity Audit Rule

View or Search Identity Audit Rule

Identity Audit Configuration

Identity Audit Configuration - Modify

Allows a User to modify the Identity Audit Configuration

Modify Identity Audit Configuration

View Identity Audit Configuration

Identity Audit Configuration

Identity Audit Configuration - View

Allows a User to view the Identity Audit Configuration

View Identity Audit Configuration

Identity Audit Scan Definition

Identity Audit Scan Definition - Create

Allows a User to create an Identity Audit Scan definition

Create Identity Audit Scan Definition

View or Search Identity Audit Scan Definition

Create Identity Audit Scan Run

Identity Audit Configuration

Identity Audit Scan Definition - Modify

Allows a User to modify an Identity Audit Scan definition

Modify Identity Audit Scan Definition

View or Search Identity Audit Scan Definition

Create Identity Audit Scan Run

Identity Audit Configuration

Identity Audit Scan Definition - Delete

Allows a User to delete an Identity Audit Scan definition

Delete Identity Audit Scan Definition

View or Search Identity Audit Scan Definition

Identity Audit Configuration

Identity Audit Scan Definition - View

Allows a User to view and search for Identity Audit Scan Definitions

View or Search Identity Audit Scan Definition

View User

View Role

View Application Instance

View Entitlement

View Organization

View Requests

View User Roles

View User Accounts

View User Entitlements

View Identity Audit Policy

View Identity Audit Configuration

View Identity Audit Scan Run

Search Catalog Item

View Identity Audit Policy Violation

Identity Audit Policy Violation

Identity Audit Policy Violation - Force Close

Allows a User to force close an Identity Audit Policy Violation

Force Identity Audit Policy Violation Close

View or Search Identity Audit Policy Violation

Identity Audit Policy Violation

Identity Audit Policy Violation - Assign

Allows a User to assign or reassign an Identity Audit Policy Violation

Assign Identity Audit Policy Violation

View or Search Identity Audit Policy Violation

Identity Audit Policy Violation

Identity Audit Policy Violation - Complete

Allows a User to complete an Identity Audit Policy Violation

Complete Identity Audit Policy Violation

View or Search Identity Audit Policy Violation

Accept Identity Audit Policy Violation Cause Risk

Request Identity Audit Policy Violation Cause Remediation

Mark Identity Audit Policy Violation Cause as Fixed

Identity Audit Policy Violation

Identity Audit Policy Violation - View

Allows a User to view an Identity Audit Policy Violation

View or Search Identity Audit Policy Violation

View or Search Identity Audit Policy Violation Cause

Certification

Certification - Modify

Allows a User to modify a Certification

Modify Certification

View Certification

Certification

Certification - View

Allows a User to view a Certification

View Certification

Certification

Certification - Modify Configuration

Allows a User to modify the Certification Configuration

Modify Certification Configuration

Certification

Certification - View Configuration

Allows a User to view the Certification Configuration

View Certification Configuration

Access Policy

Access Policy - Create

Allows a User to create Access Policies

Create Access Policy

View or Search Access Policy

Access Policy

Access Policy - Delete

Allows a User to delete Access Policies

Delete Access Policy

View or Search Access Policy

Access Policy

Access Policy - Modify

Allows a User to modify Access Policies

Edit Access Policy

View or Search Access Policy

Access Policy

Access Policy - View/Search

Allows a User to view and search for Access Policies

View or Search Access Policy

B.2 List of Self Capabilities

This appendix provides the list of Admin Role capabilities in Table B-1 and the list of Self capabilities in Table B-2.

Table B-2 Self Capabilities

Functional Type Functional Capability Description Implied Capabilities

Self Service

Self Service - Modify Profile

Allows a User to modify their own user profile

Modify Self

View or Search Self

Self Service

Self Service - Modify Proxy

Allows a User to add, modify, delete or view their own proxies

Modify Self Proxy

View or Search Self

Add Self Proxy

Delete Self Proxy

View Self Proxy

Self Service

Self Service - Request Role Memberships

Allows a User to request Roles published to their home organization

Request Self Role

Modify Self Role

View Self Roles

Self Service

Self Service - Modify Roles Memberships

Allows a User to modify Roles assigned to them

Modify Self Role

View Self Roles

Self Service

Self Service - Revoke Role Memberships

Allows a User to delete Roles assigned to them

Remove Self Role

Modify Self Role

View Self Roles

Self Service

Self Service - Request Accounts

Allows a User to request Accounts published to their home organization, including start and end dates

Request Self Account

Modify Self Accounts

View Self Accounts

Self Service

Self Service - Modify Accounts

Allows a User to modify Accounts assigned to them

Modify Self Accounts

View Self Accounts

Self Service

Self Service - Change Account Password

Allows a User to change password on Accounts assigned to them

Change Self Account Password

View Self Accounts

Self Service

Self Service - Revoke Accounts

Allows a User to delete Accounts assigned to them now or on a specified end date

Remove Account

Modify Self Account

View Self Accounts

Self Service

Self Service - Request Entitlements

Allows a User to request Entitlements published to their home organization, including start and end dates

Request Self Entitlement

Modify Self Entitlement

View Self Entitlements

Self Service

Self Service - Modify Entitlements

Allows a User to modify Entitlements assigned to them

Modify Self Entitlement

View Self Entitlements

Self Service

Self Service - Revoke Entitlements

Allows a User to delete Entitlements assigned to them now or at a specified end date

Remove Self Entitlement

Modify Self Entitlement

View Self Entitlements