Managing Authorization Policies 15-15 The Assignee must be a member of security setting restricts the grant to the users who are also members of the organizations or roles being granted privileges over. If assignee belongs to multiple organization hierarchies, then a match to at least one organization hierarchy must provide the grant.

15.3.1.2 Functional Security

Multiple privileges are defined for the user management feature such as Search for Users and View User Detail. The following privileges support the fine-grained attribute-level controls, in which the user is able to select the specific attributes applicable to that operation: ■ View User Detail ■ Modify User Profile The list of attributes are based on the list of attributes defined for the user entity.

15.3.1.3 Data Security

For the user management feature, data security is defined as the list of organizations whose members the assignee has privileges over. The set of users being managed by the authorization policy cannot be specified by attribute filtering. If the Hierarchy Aware option is selected, then the organization and role hierarchies are taken into account when determining the data security.

15.3.1.4 Default Authorization Policies

There are two default authorization policies for the user management feature. Users are not allowed to modify or delete these policies. Any User Management policy that provides the Search User permission should also provide the View User Details permission. The View User Details permission should include the User Login, Account Status, Identity Status, Full Name, and Display Name attributes. If these attributes are not provided, the user might not be fully viewable or editable. The following table lists the default authorization policy details for user management: Note: ■ Any user management policy that provides the Search User permission must also provide the View User Details permission. ■ For a complete list of privileges for the user management feature, see Privileges on page 11-50. 15-16 Oracle Fusion Middleware Users Guide for Oracle Identity Manager Policy Name Assignee Functional Security Data Security Description User Management Administration Policy: System Administrators and Identity User Administrators roles The permissions include: Change User Password Create User Delete User Evaluate Access Policies Modify OIM Account Status Modify User Profile Modify User Proxy Profile Modify User Status Provision Resource to User Search User View User Details View User Requests Note: The Modify User Profile and View User Details have associated attribute settings. For both the permissions, the attribute setting is All Attributes. All Users organization Assignee must be a member of the Users Organization: No Hierarchy Aware: Yes Allows users with the SYSTEM ADMINISTRATORS or IDENTITY USER ADMINISTRATORS role to access all User Management actions User Management Search Policy Request Template Administrators, Request Administrators, Approval Policy Administrators, and Reconciliation Administrators roles The permissions are: Search Users View User Details: This has associated attribute settings. They are: Display Name, First Name, Full Name, GUID, Last Name, Organization, and User Login All Organizations Assignee must be member of the Users Organization: No Hierarchy Aware: Yes Allows users with the REQUEST ADMINISTRATORS, RECONCILIATION ADMINISTRATORS, REQUEST TEMPLATE ADMINISTRATORS, or APPROVAL POLICY ADMINISTRATORS roles to search based on GUID and User Login