12 Managing Roles 12-1 12 Managing Roles As an administrator, you use roles to create and manage the records of a collection of users to whom you want to permit access to common functionality, such as access rights, roles, or permissions. Roles can be independent of an organization, span multiple organizations, or contain users from a single organization. Using roles, you can: ■ View the menu items that the users can access through Oracle Identity Manager Administration Web interface. ■ Assign users to roles. ■ Assign a role to a parent role ■ Designate status to the users so that they can specify defined responses for process tasks. ■ Modify permissions on data objects. ■ Designate provisioning policies for a role. These policies determine if a resource object is to be provisioned to or requested for a member of the role. ■ Assign or remove membership rules to or from the role. These rules determine which users can be assigned or removed as direct membership to or from the role. ■ Map users via roles to access policies for automating the provisioning of target systems to the users. See Chapter 16, Managing Access Policies for details. This chapter describes roles and functionalities related to roles in the following sections: ■ Role Membership Inheritance ■ Role Permission Inheritance ■ Role Entity Definition ■ Default Roles ■ Role Management Tasks ■ Managing Authorization for Roles ■ Request-Based Role Grants 12-2 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

12.1 Role Membership Inheritance

Membership inheritance means that the members of the inheritor role inherit from the inherited role. For example: ■ Role B inherits memberships from Role A. Role B is parent role to Role A. ■ Role C also inherits memberships from Role A. Role C is also parent role of Role A. In this example, all members of Role A are also implicit or indirect members of Role B and Role C, but members of Role B are not automatically members of Role A. In other words, Role B and Role C are the parents of Role A. Similarly, Role A is the child of Role B and Role C. A real example for this is that the Employee Role Role B inherits memberships from the Manager Role Role A. Role membership inheritance is described with the help of the following scenario: ■ The role CEO is a parent role of the Manager role. ■ The role Manager is a parent role of the Employee role. ■ The role Software Architect is a parent role of the Software Engineer role. ■ The role Software Engineer is a parent role of the Employee role. ■ The Employee role has two parent roles - the Manager role and the SoftwareEngineer role. Figure 12–1 shows the parent and child roles in this example, along with the membership inheritance: Note: The child role that inherits membership from its parent role is called the inheritor role. The parent role from which the inheritor role inherits membership is called the inherited role.