15-16 Oracle Fusion Middleware Users Guide for Oracle Identity Manager Policy Name Assignee Functional Security Data Security Description User Management Administration Policy: System Administrators and Identity User Administrators roles The permissions include: Change User Password Create User Delete User Evaluate Access Policies Modify OIM Account Status Modify User Profile Modify User Proxy Profile Modify User Status Provision Resource to User Search User View User Details View User Requests Note: The Modify User Profile and View User Details have associated attribute settings. For both the permissions, the attribute setting is All Attributes. All Users organization Assignee must be a member of the Users Organization: No Hierarchy Aware: Yes Allows users with the SYSTEM ADMINISTRATORS or IDENTITY USER ADMINISTRATORS role to access all User Management actions User Management Search Policy Request Template Administrators, Request Administrators, Approval Policy Administrators, and Reconciliation Administrators roles The permissions are: Search Users View User Details: This has associated attribute settings. They are: Display Name, First Name, Full Name, GUID, Last Name, Organization, and User Login All Organizations Assignee must be member of the Users Organization: No Hierarchy Aware: Yes Allows users with the REQUEST ADMINISTRATORS, RECONCILIATION ADMINISTRATORS, REQUEST TEMPLATE ADMINISTRATORS, or APPROVAL POLICY ADMINISTRATORS roles to search based on GUID and User Login Managing Authorization Policies 15-17

15.3.2 Authenticated User Self Service

Authorization policies are used to control the following areas of authenticated self service: ■ Authorization for Profile Attributes ■ Authorization for Role Requests ■ Authorization for Resource Requests ■ Authorization for Proxies ■ Default Authorization Policies

15.3.2.1 Authorization for Profile Attributes

The attributes displayed on the My Profile page of Oracle Identity Manager Self Service are controlled by using the VIEW_USER_DETAILS and MODIFY_USER_DETAILS privileges from the Self Service User Management OES authorization policies. If multiple policies are applicable, then the list of attributes on which the user has permissions is a union of the attributes determined by individual policies. By default, the All Users and System Administrators roles have permissions to view and modify a set of attributes. The All users and System Administrators roles have permissions to view the following attributes: Email, Display Name, First Name, Last Name, Locale, Middle Name, Telephone Number, Time Zone, User Login, Manager, Identity Status, and Account Status The All users and System Administrators roles have permissions to modify the following attributes: Email, Display Name, First Name, Last Name, Locale, Middle Name, Telephone Number, Time Zone, and User Login User Management All Users Policy ALL Users role The permission is: View User Details: This has associated attribute settings. They are: Display Name, First Name, Full Name, GUID, Last Name, Organization, and User Login All Organizations Assignee must be member of the Users Organization: No Hierarchy Aware: Yes Allows users with the ALL USERS role to access all User Management actions User Management policies for Managers ALL Users role The permissions are: Search User View User Details All Organizations Assignee must be member of the Users Organization: No Hierarchy Aware: Yes Allows managers to search and view their reportees See Also: Chapter 8, Managing Profile , Chapter 9, Managing Tasks , and Chapter 10, Managing Requests for information about the authenticated user self service feature Policy Name Assignee Functional Security Data Security Description 15-18 Oracle Fusion Middleware Users Guide for Oracle Identity Manager If the user has view and modify privileges for an attribute, then the attribute is displayed as editable on the My Profile page. If the attribute has view permission only, then it is displayed as read-only. The request to modify self profile is submitted by using the Modify Self Profile request template. The request dataset for this request template is the same as that for the Modify User request template. To display additional attributes on the users profile: 1. Create a custom self service authorization policy with view andor modify user profile permission having default or custom additional attributes. See Creating Custom Authorization Policies on page 15-5 for information about creating custom authorization policies. 2. Assign the custom authorization policy to the All Users and System Administrators roles because the administrator user does not have All Users role by default. 3. If the additional attribute is set to modify user profile permission in the policy, then update the request dataset for the Modify Self Profile, that is, ModifyUserDataset.xml to include the attribute. The entry in dataset is made for the attribute to be rendered on the Modify Self Profile page.

15.3.2.2 Authorization for Role Requests

There is no permission defined for requesting and viewing roles as self service operations. However, while requesting for roles, only those request templates are displayed that the user is authorized to access. The request management feature controls this. While searching for roles during the request operation, the user is allowed to select from only those roles that the user is authorized to search and view. This is controlled by role management policies. The roles available for the user in the list of roles on the Request Roles page are the result of intersection of the roles provided in the request template and roles that the user has search permission for. For example, if the request template has roles Role1, Role2, and Role3 and the user has search permission on Role2 and Role3, then Role2 and Role3 are displayed in the list of roles. Similarly, if the user has search permission over Role1, Role2, and Role3 and the request template has roles Role2 and Role3, then Role2 and Role3 are displayed in the list of roles. The user can request for all the roles for which the user has search permission. This is controlled by general authorization policy defined by role management. While creating a request for a role, the user must search and select the roles.

15.3.2.3 Authorization for Resource Requests

There is no permission defined for requesting and viewing resources as self service operations. However, for requesting and viewing resources, the resource must be configured so that self requesting for that resource is allowed. This is done by selecting the Self Request Allowed option in the Resource Objects form in Oracle Identity Manager Design Console. See Also: Configuring Requests in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for detailed information about requests models, request templates, and request datasets Note: Ensure that the additional attribute has the visible property set.