12-24 Oracle Fusion Middleware Users Guide for Oracle Identity Manager Roles link is displayed if the user is authorized to perform advanced search for roles. The actions that the user is authorized to perform is determined by the authorization policies. These authorization policies are defined for Oracle Identity Manager and stored in Oracle Entitlements Server OES. The policies are enforced at runtime to control the authorization to perform various tasks in the UI. Authorization policies control the access to various operations with the help of permissions. Table 12–8 lists the permissions for role management operations: See Also: Chapter 15, Managing Authorization Policies for detailed information about authorization policies Table 12–8 Role Management Permissions Permission Description Create Role Determines if the user can create a role Note: This permission is not associated with a specific role. Modify Role Detail Determines if the user can update a specific role Delete Role Determines if the user can delete a specific role View Role Detail Determines if the user can view a specific role and the complete hierarchy of the specific role Search for Role Determines if the user can search for roles Note: This permission is not associated with a specific role. Modify Role Membership Determines if the user can grant or revoke a specific role to a user. Modify Role Hierarchy Determines if the user can add or remove a child role to or from a specific role View Role Membership Determines the user to whom the specific role is granted Create Role Category Determines is the user can create a role category Note: This permission is not associated with a specific role category or role. Modify Role Category Determines if the user can update a role category Note: This permission is not associated with a specific role category or role. Delete Role Category Determines if the user can delete a role category Note: This permission is not associated with a specific role category or role. View Role Category Detail Determines if the user can view the details of a role category Note: This permission is not associated with a specific role category or role. Search for Role Categories Determines if the user can search for role categories Note: This permission is not associated with a specific role category or role. Note: When a role is granted to a user, the Modify Role Membership permission must be granted to the specific role that you are trying to grant. Managing Roles 12-25 Permissions are enforced by authorization policies, which regulate the way permissions are granted. The default authorization policies for the role management feature allow Oracle Identity Manager to function properly. Without these policies, you cannot access or perform any task in Oracle Identity Manager. This applies to the administrators and users. You can create custom authorization policies to enforce delegated administration by using the Authorization Policy tab of Oracle Identity Administration. The following must be specified while creating an authorization policy: ■ Policy name and description ■ Oracle Identity Manager feature for which the policy is being created ■ Set of permissions associated with various actions ■ Assignment of policy to roles decides who gets the permissions via the role membership ■ Data constraint, which is a set of roles on which the actions specified in the policy can be performed. Hierarchy is supported in the data constraints. Therefore, all roles that are part of the hierarchy are included in the data constraint. This allows you to create a simple policy with only few roles listed in the constraint, but that includes a much bigger set of roles based on the hierarchy.

12.7 Request-Based Role Grants

You can configure Oracle Identity Manager to generate a request when a role grant is performed. This request is subject to approval, and therefore, the role grant takes place only when the role grant request has been approved. In addition, if Segregation of Duties SoD check for role grants is enabled, then you must also configure request-based role grants. However, request-based role grant can be enabled without enabling SoD check for role grants. To configure request-based role grants, you must set the values of the XL.RM_REQUEST_ENABLED and XL.RM_ROLE_ASSIGN_TEMPLATE system properties. For a description of these system properties and possible values, see System Properties in Oracle Identity Manager in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. If the XL.RM_REQUEST_ENABLED system property is not present or no legal value has been specified for this property, then role grants are performed without any request being generated. If XL.RM_REQUEST_ENABLED is true, and XL.RM_ROLE_ASSIGN_TEMPLATE has not been set or has an illegal value, then an error message is displayed, no role grant is performed, and a role request is not generated. See Also: ■ Role Management on page 15-20 for information about the default authorization policies for this feature ■ Creating an Authorization Policy for Role Management on page 15-9 for information about creating custom authorization policies for role management See Also: Using Segregation of Duties SoD in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about SoD