This graphic shows the flow of authority from role to role when users delegate authority.

1. The Oracle Internet Directory Superuser (cn=orcladmin) creates an Oracle Context, a Realm, and a Realm Oracle Context. The Oracle Internet Directory Superuser now creates a Realm Administrator.

2. The Realm Administrator (cn=orcladmin, cn=users, <Enterprise DN>) delegates Oracle Context Administration to Oracle Context Administrators.

3. The Oracle Context Administrators delegate Application Server administration to Oracle Application Server Administrators.

4. The Oracle Application Server Administrators install components and manage component security and configuration. There can be a separate administrator for each component. The Oracle Application Server Administrators delegate user and group administration to User and Group Administrators.

5. The User and Group Administrators create users and groups. These administrators can also grant user and group administrator privileges to other users.