Managing Users 11-55 ■ Org3 has Org3Child1 and Org3Child2 as child organizations. Consider the following scenarios: Scenario I: User1 has Role1 only and belongs to the Org1Child1 organization. The user can: ■ Search for users who are members of Org1Child1 organization. The search can be performed on the basis of First Name, Last Name, and Middle Name, and Display Name user attributes and also the search result can contain a subset of the set of these attributes. ■ Modify the First Name, Last Name, and Middle Name user attributes from the Org1Child1 organization. Scenario II: User2 has Role1 and Role2 and belongs to the Org2 organization. User2 has direct reports DR1 and DR2 belonging to the Org2 organization. The user can: ■ View the User Login, User Type, and OIM User Type user attributes from the Org3 organization because of Policy2. ■ Modify the User Type attribute from the Org3 organization because of Policy2. ■ View the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1. ■ Modify the First Name, Last Name, and Middle Name user attributes from the Org2 organization, because of Policy1. ■ View the User Login, User Type, OIM User Type, and Designation user attributes of all the users direct reports because of Policy3. ■ Modify the Designation attribute of all the users direct reports because of Policy3. If the user being tried to modify is DR1, then the list of modifiable attributes are First Name, Last Name, Middle Name because of Policy1, and Designation because of Policy3. The user cannot view, modify, and search users from child organizations of Org3, which are Org3Child1 and Org3Child2. Based on these scenarios, for the search operation, a union of the viewable attributes from all the three authorization policies are displayed to the user. In other words, the user is able to see User Login, User Type, OIM User Type, First Name, Last Name, Middle Name, Display Name, and Designation attributes in the search results irrespective of the authorization policy. Here, the Designation attribute is displayed not only for DR1 and DR2, who are direct reports of User2, but are displayed for all the users in the results.

11.4.4.2 Modify Operation Authorization with Multiple Authorization Policies

If the logged in user is allowed to modify a user profile as defined by multiple policies, then a union of the set of attributes from individual policies is used for performing the operation. Refer to Scenario II of the Search Operation Authorization with Multiple Authorization Policies on page 11-53 for the example related to the modify operation in case of multiple applicable authorization policies.