Functional Security Data Security Default Authorization Policies

Managing Authorization Policies 15-19

15.3.2.4 Authorization for Proxies

To add, modify, and remove proxy operations, authorization checks are required in the authenticated self service APIs along with a new MODIFY_SELF_USER_PROXY_PROFILE privilege in the default authorization policy for self service user management. The authenticated self service API first checks for this privilege. If the user is authorized to perform the proxy operation, then the authenticated self service API calls the corresponding APIs for user management. The Modify Self User Proxy Profile permission is required to allow adding, modifying, and removing proxies.

15.3.2.5 Default Authorization Policies

The following table lists the default authorization policy details for authenticated self service: See Also: Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about the Resource Objects form in Oracle Identity Manager Design Console See Also: Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for information about Oracle Identity Manager APIs Policy Name Assignee Functional Security Data Security Description Self Assign Roles ALL USERS role The permission is: Initiate Request None Allows users with ALL USERS role to access the Self Assign Roles request template Self De-Provision Resource ALL USERS role The permission is: Initiate Request None Allows users with ALL USERS role to access Self Modify Provisioned Resource request template Self Modify Provisioned Resource ALL USERS role The permission is: Initiate Request None Allows users with ALL USERS role to access Self Remove Roles request template Self Remove Roles ALL USERS role The permission is: Initiate Request None Allows users with ALL USERS role to access Self Assign Roles request template 15-20 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

15.3.3 Role Management

The components of the authorization policies defined for the role management feature and the default authorization policy for this feature are described in the following sections: ■ Assignee ■ Functional Security ■ Data Security ■ Default Authorization Policies

15.3.3.1 Assignee

The assignee of the policy can be a role or a set of roles. Self Service User Management All Users Policy ALL USERS and SYSTEM ADMINISTRATORS roles The permissions are: Modify Self User Proxy Profile Modify User Profile: This has associated attribute settings. They are Display Name, Email, First Name, Last Name, Locale, Middle Name, Telephone Number, Time Zone, and User Name Preferred Language. View User Details: The associated attribute settings are Account Status, Display Name, Email, First Name, Identity Status, Last Name, Locale, Manager, Middle Name, Password Expire Date, Password Expired, Password Warn Date, Password Warned, Telephone Number, Time Zone, User Login, and User Name Preferred Language. None Allows all users to access certain Self Service User Management actions Self Request Resource ALL USERS role The permission is: Initiate Request None Allows users with ALL USERS role to access Self-Request Resource request template See Also: Chapter 12, Managing Roles for information about the role management feature Policy Name Assignee Functional Security Data Security Description Managing Authorization Policies 15-21

15.3.3.2 Functional Security

Multiple privileges are defined for the role management feature. The privileges do not support fine-grained attribute-level controls.

15.3.3.3 Data Security

For the role management feature, data security is defined as the list of roles the assignee will have privileges over. The Assignee Must Be Member of condition restricts the grant to assignees that are also members of the role being granted privileges over. The Hierarchy Aware setting takes the role hierarchies into account when determining the data security.

15.3.3.4 Default Authorization Policies

The default authorization policy defined for this feature cannot be modified or deleted by users. The policies are describes in the following table: Policy Name Assignee Functional Security Data Security Description Role Management Administration Policy System Administrators and ROLE ADMINISTRA TORS roles The permissions are: Create Role Create Role Category Delete Role Delete Role Category Modify Role Modify Role Category Modify Role Hierarchy Modify Role Membership Search for Role Search for Role Categories View Role Category Detail View Role Detail View Role Membership All Roles This is the predefined authorization policy associated with the ROLE ADMINISTRATORS and SYSTEM ADMINISTRATORS roles. Role Management All Users Policy ALL USERS role The permissions are: Search for Role Search for Role Categories View Role Detail View Role Category Detail All Roles, in which the authorization is applied to users belonging to roles Selected Roles, in which you can select the roles that the user must be a member of for this authorization This is the predefined authorization policy associated with the ALL USERS role.