Understanding the Oracle Directory Integration Platform for Provisioning 12-17 to manage and provision users, manage applications, or any combination of these privileges, as described in the following scenarios: ■ Provisioning Administration Model ■ Oracle Delegated Administration Services Privileges ■ Provisioning Administration Privileges ■ Application Administration Privileges ■ Oracle Delegated Administration Services and Provisioning Administration Privileges ■ Application Administration and Oracle Delegated Administration Services Privileges ■ Provisioning and Application Administration Privileges ■ Oracle Delegated Administration Services, Provisioning, and Application Administration Privileges

12.7.1 Provisioning Administration Model

The following types of provisioning information is managed in Oracle Internet Directory: ■ Base user information. ■ Application-specific information. ■ User provisioning status in each provisioning-integrated application; this information is stored in the base user entry but is administered separately. Administrators and users each require the following types of privileges: ■ Administrators require privileges for managing base user attributes and application-specific information. ■ Users require privileges for managing their own base attributes and application-specific information. User accounts with administrative privileges are represented by the group entry cn=User Provisioning Admins,cn=Groups,cn=OracleContext. To manage application-specific information, the application must grant privileges to the cn=User Provisioning Admins,cn=Groups,cn=OracleContext group. If an application already defines a group with administrative privileges, then the application needs to add this group as a member of the group.

12.7.2 Oracle Delegated Administration Services Privileges

For administrators with privileges for Oracle Delegated Administration Services administration, Create, Delete, and Edit buttons are available in the Provisioning Console for performing user creation, deletion, and modification. When an administrator who only has administrative rights for Oracle Delegated Administration Services clicks one of these buttons, single-step procedures are used for performing the function. Note: Oracle Directory Integration Platform 11g Release 1 11.1.1 interoperates with and supports Oracle Delegated Administration Services release 10.1.4.3.0 and higher.