Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
Administrative rights in Oracle Delegated Administration Services vary according to the privileges delegated to each administrator. An administrator may be granted rights to manage and provision users, manage applications, or any combination of these privileges, as described in the following scenarios:
Oracle Delegated Administration Services and Provisioning Administration Privileges
Application Administration and Oracle Delegated Administration Services Privileges
Oracle Delegated Administration Services, Provisioning, and Application Administration Privileges
The following types of provisioning information is managed in Oracle Internet Directory:
Base user information
Application-specific information
User provisioning status in each provisioning-integrated application; this information is stored in the base user entry but is administered separately
Administrators and users each require the following types of privileges:
Administrators require privileges for managing base user attributes and application-specific information
Users require privileges for managing their own base attributes and application-specific information
User accounts with administrative privileges are represented by the group entry "cn=User Provisioning Admins,cn=Groups,cn=OracleContext
". In order to manage application-specific information, the application must grant privileges to the "cn=User Provisioning Admins,cn=Groups,cn=OracleContext
" group. If an application already defines a group with administrative privileges, then the application needs to add this group as a member of the group.
For administrators with privileges for Oracle Delegated Administration Services administration, Create, Delete, and Edit buttons are available in the Provisioning Console for performing user creation, deletion, and modification. When an administrator who only has administrative rights for Oracle Delegated Administration Services clicks one of these buttons, single-step procedures are used for performing the function.
For administrators with provisioning privileges, Create, Delete, and Edit buttons are also available in the Provisioning Console for performing user creation, deletion, and modification. However, unlike the single-step procedures that occur for administrators with Oracle Delegated Administration Services privileges, wizard-based procedures perform creation and modification for administrators with provisioning privileges. User deletion is performed with the same single-step procedure that is available with Oracle Delegated Administration Services privileges, as described in "Oracle Delegated Administration Services Privileges".
For administrators with application administration privileges, but not Oracle Delegated Administration Services privileges or provisioning privileges, Create and Delete buttons are not available in the Provisioning Console. However, an Edit button is available that launches the same wizard that is available with provisioning administration privileges, as described in "Provisioning Administration Privileges". If the application administrator does not have provisioning privileges, then the first page in the wizard, which is used for general user provisioning, is read-only. Yet, the application administrator can modify the application provisioning attributes that are available on other pages in the wizard.
Administrators with Oracle Delegated Administration Services privileges and provisioning privileges have the same rights that are available with provisioning administration privileges, as described in "Provisioning Administration Privileges".
This section explains how privileges are delegated if an administrator is assigned various Oracle Delegated Administration Services privileges and also has administrative privileges.
For application administrators with user creation privileges in Oracle Delegated Administration Services, but not user editing or deletion privileges, the Create and Edit buttons are available in the Provisioning Console, but not the Delete button. User creation is performed with the same wizard-based procedure that is available with provisioning administration privileges, as described in "Provisioning Administration Privileges". User editing privileges are the same as those available with application administration privileges, as described in "Application Administration Privileges".
For application administrators with user editing privileges in Oracle Delegated Administration Services, but not user creation or deletion privileges, the Edit button is available in the Provisioning Console, but not the Create or Delete buttons. User editing is performed with the same wizard-based procedure that is available with provisioning administration privileges, as described in "Provisioning Administration Privileges".
For application administrators with user deletion privileges in Oracle Delegated Administration Services, but not user creation or modification privileges, the Delete and Edit buttons are available in the Provisioning Console, but not the Create button. User deletion is performed with the same single-step procedure that is available with Oracle Delegated Administration Services privileges, as described in "Oracle Delegated Administration Services Privileges". User editing is performed with the same wizard-based procedure that is available with provisioning administration privileges, as described in "Provisioning Administration Privileges".
Administrators with provisioning privileges and application administration privileges have the same rights that are available with provisioning administration privileges, as described in "Provisioning Administration Privileges".
Administrators with Oracle Delegated Administration Services privileges and application administration privileges have the same rights that are available with provisioning administration privileges, as described in "Application Administration Privileges".