Managing Users 11-49 Only those attributes configured as part of the modify operation in user management configuration are displayed as fields in the Bulk Modify page. The attributes displayed are restricted to those defined in the user entity definition with the Support Bulk Update property set to Yes. The attributes are further filtered based on authorization policies that specify the attributes for the selected users that you have privileges to modify. The permissions are based on authorization policy. For instance, if the authorization policy mentions that you can modify only the first name for one user and only the last name for another user, based on the users selected, it is possible that you select these names and the attributes to display on the page, results in no fields being allowed. As a result, the Bulk Modify page displays an error message stating that the attributes of the selected users cannot be modified in bulk, and the user selection must be changed.

11.4 User Management Authorization

Run-time security is enforced in the user management service through authorization policies. Each role in Oracle Identity Manager can be associated with one or more such authorization policies. Users that are members of a role are authorized to perform various user tasks based on the privileges granted to the role by its associated authorization policies. Because a user may have many roles, the privileges of a user are the cumulative privileges of his collective roles. The access controls are implemented in the form of authorization policies that are managed by the Oracle Entitlements Server OES. These policies define the controls in terms of roles and targets. The target is a combination of privilege, entity, and entity attribute. If a user has multiple roles that have different authorization policies applicable in the same context, then the users access rights are the cumulative rights across those Table 11–6 Fields in the Bulk Modify Page Section Field Description Basic User Information Design Console Access Design Console Access check box that indicates whether or not the users can login to the Design Console. Manager The reporting manager of the selected users. Organization The organization to which the selected users belong. User Type The type of selected employees, such as full-time employee, intern, contractor, part-time employee, consultant, or temporary. Account Effective Dates Start Date The date when the selected users will be activated in the system. End Date The date when the selected users will be deactivated in the system. Provisioning Dates Provisioning Date The date when the users are provisioned. Deprovisioning Date The date when the users are provisioned. See Also: Chapter 15, Managing Authorization Policies for detailed information about authorization policies in Oracle Identity Manager