13-14 Oracle Fusion Middleware Users Guide for Oracle Identity Manager

4. Click OK.

13.3 Organization Management Authorization

Authorization of the organization management feature is based on organization administrative roles. The following sets of distinct permissions is required by a role to manage an organization: ■ The role must have the following data object permission on organization entities: – Insert - This enables the user with this role to create new organizations and manage them. – EnableDisableUpdate These permissions are not specific to a particular organization. ■ When role is assigned as an administrative role for an organization, the following permissions are required: – Read and View permissions are implicit by virtue of being administrative role – Write – Delete These permissions are configured per organization. Permission to get access to Oracle Identity Manager Administration from Oracle Identity Manager Self Service is governed by menu item permissions. When the user has access to Oracle Identity Manager Administration, the user is allowed to browse users, roles, and organizations. Second level menus for edit, view, and delete actions on user and role entities are derived from the OES policies, such as create, update, delete on user and role respectively. Similarly, second level menus to edit, view, and delete organizations is derived from orgadmin role and data-object permissions on organization entity type. In Oracle Identity Manager 11g Release 1 11.1.1, delegated administration permissions are managed by using Oracle Entitlements Server OES authorization policies. These OES policies for user management can be used to control: ■ Under which organizations you can create or modify users ■ Data constraints can specify that you can change users in a set of organizations with or without hierarchy. Together these capabilities give us the delegated administrative model. To configure a delegated administrator for an organization: 1. Define a custom authorization policy to manage users and set organization constraints. Organization constraints can be hierarchy aware. See Creating Custom Authorization Policies on page 15-5 for information about creating custom authorization policies and setting data constraints. 2. Add the user to the role specified in the custom policy. See Adding and Removing Roles on page 11-41 for information about adding a user to a role. See Also: Chapter 15, Managing Authorization Policies for information about OES authorization policies Managing Organizations 13-15 3. To configure the role as organization administrator, first create a role. See Creating Roles on page 12-11. When you create the orgadmin role, the role detail page for this role is displayed. 4. Assign this orgadmin role data object permissions on the organization type. With this data object permission, the user with this role, can create new organizations and manage them. See Managing Administrative Roles on page 13-11 for information about assigning create organization permission to a role. 5. Select an organization and assign the orgadmin role as administrative role for the organization. This step would give the user the ability to manage the selected organization. Manage permissions include update, enable, disable, and delete. See Managing Administrative Roles on page 13-11 for information about assigning administrative roles to an organization.