Default Authorization Policies for the Admin Roles in OIM 11g

Default Authorization Policies

Admin Role in Oracle Identity Manager Application Role in OES Policy Name Description Obligation
Authenticated Role authenticated-role Role Category View Policy This Policy controls if authenticated users can view role categories.
Role Administrator OIM Role Administrator OIM RoleCategory RoleAdmin Policy This policy controls the creation, modification, and deletion of role categories by the Role Administrator admin role.
Catalog Administrator OIM Catalog Administrator Role Catalog Administration Policy Catalog Administrator is a global admin role. Catalog Administrators are responsible for managing catalog items and their metadata. This Policy specifies the actions that a member of the role can take.
Organization Administrator OIM Organization Administrator Organization Administration Policy This policy specifies the actions that an Organization Administrator can perform. This policy can also be configured to require an approval. OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMOrganizationAdminOrgsDirect

Organization Administrator OIM Organization Administrator OIM OrgAdministrator Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by Organization Administrators. OrclOIMOrgScopingDirect=OrclOIMOrganizationAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationAdminOrgsWithHierarchy

Organization Administrator OIM Organization Administrator OIM OrgAdministrator Basic Info IT Resource Entitlement Direct Policy This policy specifies the direct view and search permissions on entitlements by Organization Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMOrganizationAdminOrgsDirect

Organization Administrator OIM Organization Administrator OIM OrgAdministrator Basic Info Role Direct Policy This policy specifies the direct view and search permissions on roles by Organization Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect Attribute=OrclOIMOrganizationAdminOrgsDirect

Organization Administrator OIM Organization Administrator OIM OrgAdministrator Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Organization Administrators. OrclOIMOrgScopingDirect=OrclOIMOrganizationAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationAdminOrgsWithHierarchy

OrclOIMDeniedAttributesDirect=

Organization Viewer OIM Organization Viewer Organization Viewer Policy for View Actions Organization Viewer is an organization-scoped admin role. This policy specifies the actions that members of this role can take, which do not require approval. By default, the policy specifies that all view actions do not require approval. OrclOIMOrgScopingDirect=OrclOIMOrganizationViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationViewerOrgsWithHierarchy

Organization Viewer OIM Organization Viewer OIM OrgViewer Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by Organization Viewers. OrclOIMOrgScopingDirect=OrclOIMOrganizationViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationViewerOrgsWithHierarchy

Organization Viewer OIM Organization Viewer OIM OrgViewer Basic Info IT Resource Entitlement Direct Policy This policy specifies the direct view and search permissions on entitlements by Organization Viewers. OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMOrganizationViewerOrgsDirect

Organization Viewer OIM Organization Viewer OIM OrgViewer Basic Info Role Direct Policy This policy specifies the direct view and search permissions on roles by Organization Viewers. OrclOIMOrgScopingDirect=OrclOIMOrganizationViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationViewerOrgsWithHierarchy

Organization Viewer OIM Organization Viewer OIM OrgViewer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Organization Viewers. OrclOIMOrgScopingDirect=OrclOIMOrganizationViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMOrganizationViewerOrgsWithHierarchy

OrclOIMDeniedAttributesDirect=

Application Instance Administrator OIM Application Instance Administrator Role Application Instance Administrator Policy The Application Instance Administrator admin role is an organization-scoped role. This policy controls the actions that members of the role can perform and whether or not the actions require approval. OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAdminOrgsWithHierarchy

Application Instance Administrator OIM Application Instance Administrator Role OIM ApplicationInstanceAdministrator Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Application Instance Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAdminOrgsDirect

OrclOIMDeniedAttributesDirect=

Application Instance Administrator OIM Application Instance Administrator Role OIM ApplicationInstanceAdministrator Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Application Instance Administrators. OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAdminOrgsWithHierarchy

Application Instance Authorizer OIM Application Instance Authorizer Role Application Instance Authorizer Policy An Application Instance Authorizer is an admin role in Oracle Identity Manager. Application Instance Authorizers can grant/revoke/modify application instances to user accounts without approval. This policy controls whether or not an Application Instance Authorizer can view/search application instances and application instance attributes. OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAuthorizerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAuthorizerOrgsDirect

Application Instance Authorizer OIM Application Instance Authorizer Role Application Instance Authorizer Policy Application Instance Authorizers can grant/revoke/modify application instances to user accounts without approval. This policy controls whether or not an Application Instance Authorizer can view/search application instances and application instance attributes. OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAuthorizerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAuthorizerOrgsDirect

OrclOIMNeedApproval=false

Application Instance Authorizer OIM Application Instance Authorizer Role OIM ApplicationInstanceAuthorizer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Application Instance Authorizers. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAuthorizerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAuthorizerOrgsDirect

Application Instance Authorizer OIM Application Instance Authorizer Role OIM ApplicationInstanceAuthorizer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Application Instance Authorizers. OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceAuthorizerOrgsWithHierarchy

Application Instance Viewer OIM Application Instance Viewer Role OIM Application Instance Viewer Direct Policy This policy specifies the operations that Application Instance Viewers can perform directly. OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceViewerOrgsDirect

Application Instance Viewer OIM Application Instance Viewer Role Application Instance Viewer Policy for Request actions The Application Instance Viewer admin role is an organization-scoped role. This policy controls the actions that members of the role can perform and whether or not the actions require approval. OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceViewerOrgsDirect

OrclOIMNeedApproval=true

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceViewerOrgsWithHierarchy

Application Instance Viewer OIM Application Instance Viewer Role OIM ApplicationInstanceViewer Basic Info IT Resource Entitlement Direct Policy This policy specifies the direct view and search permissions on entitlements by Application Instance Viewers. OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceViewerOrgsWithHierarchy

Application Instance Viewer OIM Application Instance Viewer Role OIM ApplicationInstanceViewer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Application Instance Viewers. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceViewerOrgsDirect

Application Instance Viewer OIM Application Instance Viewer Role OIM ApplicationInstanceViewer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Application Instance Viewers. OrclOIMOrgScopingWithHierarchy=OrclOIMApplicationInstanceViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMApplicationInstanceViewerOrgsDirect

Authenticated Role authenticated-role Home Org Policy for Application Instances This Policy allows a user to implicitly view the application instances and application instance attributes that have been published to the user’s home organization. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs
Authenticated Role authenticated-role Application Instance Policy for Home Org This policy controls the actions that a user can take on accounts in the user’s Home Organization and whether these actions require approval. By default, actions by non-User Administrators on accounts in the same Home Organization require approval. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

OrclOIMNeedApproval=true

System Configuration Administrator OIM System Configurator Password Policy Management Policy This policy controls the password policy management actions that members of the System Administrator or System Configuration Administrator can take.
Organization Administrator OIM Organization Administrator OIM Password Policy OrgAdmin ViewSearch Policy This policy specifies the view and search permissions on password policies by Organization Administrators.
Entitlement Administrator OIM Entitlement Administrator Entitlement Administrator Policy for entitlement management actions An Entitlement Administrator is an organization scoped admin role in Oracle Identity Manager. This policy controls the actions a member of this role can perform without requiring approval. OrclOIMOrgScopingDirect=OrclOIMEntitlementAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAdminOrgsWithHierarchy

Entitlement Administrator OIM Entitlement Administrator OIM EntitlementAdministrator Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by Entitlement Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMEntitlementAdminOrgsDirect

Entitlement Administrator OIM Entitlement Administrator OIM EntitlementAdministrator Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Entitlement Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMEntitlementAdminOrgsDirect

OrclOIMDeniedAttributesDirect=

Entitlement Administrator OIM Entitlement Administrator OIM EntitlementAdministrator Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Entitlement Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMEntitlementAdminOrgsDirect

Entitlement Authorizer OIM Entitlement Authorizer Entitlement Authorizer Policy for View Actions An Entitlement Authorizer is an admin role in Oracle Identity Manager. Entitlement Authorizers can grant/revoke/modify entitlements to user accounts without approval. This policy controls whether an Entitlement Authorizer can view/search entitlements and entitlement attributes. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAuthorizerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMEntitlementAuthorizerOrgsDirect

Entitlement Authorizer OIM Entitlement Authorizer Entitlement Authorizer Policy for Request Actions Entitlement Authorizers can grant/revoke/modify entitlements to user accounts without approval. This policy controls the actions that can be performed by an Entitlement Authorizer as part of a request. This policy is used by the request engine to determine if a particular action taken by the Entitlement Authorizer is direct or through request. OrclOIMOrgScopingDirect=OrclOIMEntitlementAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAuthorizerOrgsWithHierarchy

OrclOIMNeedApproval=false

Entitlement Authorizer OIM Entitlement Authorizer OIM EntitlementAuthorizer Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by Entitlement Authorizers. OrclOIMOrgScopingDirect=OrclOIMEntitlementAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAuthorizerOrgsWithHierarchy

Entitlement Authorizer OIM Entitlement Authorizer OIM EntitlementAuthorizer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Entitlement Authorizers. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingDirect=OrclOIMEntitlementAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAuthorizerOrgsWithHierarchy

Entitlement Authorizer OIM Entitlement Authorizer OIM EntitlementAuthorizer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Entitlement Authorizers. OrclOIMOrgScopingDirect=OrclOIMEntitlementAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementAuthorizerOrgsWithHierarchy

Entitlement Viewer OIM Entitlement Viewer Entitlement Viewer Policy for View Actions An Entitlement Viewer is an organization-scoped admin role in Oracle Identity Manager. This Policy specifies whether an entitlement viewer can search for entitlements and view its attributes without approval. By default, no approval is required. OrclOIMOrgScopingDirect=OrclOIMEntitlementViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementViewerOrgsWithHierarchy

Entitlement Viewer OIM Entitlement Viewer OIM Entitlement Viewer Policy for Request Actions This policy is an organization-scoped policy, which allows members of the role to request granting, revoking, and modifying entitlements that are published to their organizations. An entitlement grant or revoke by an Entitlement Viewer results in a request. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMEntitlementViewerOrgsDirect

OrclOIMNeedApproval=true

Entitlement Viewer OIM Entitlement Viewer OIM EntitlementViewer Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by Entitlement Viewers. OrclOIMOrgScopingDirect=OrclOIMEntitlementViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementViewerOrgsWithHierarchy

Entitlement Viewer OIM Entitlement Viewer OIM EntitlementViewer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Entitlement Viewers. OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementViewerOrgsWithHierarchy

OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingDirect=OrclOIMEntitlementViewerOrgsDirect

Entitlement Viewer OIM Entitlement Viewer OIM EntitlementViewer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Entitlement Viewers. OrclOIMOrgScopingDirect=OrclOIMEntitlementViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMEntitlementViewerOrgsWithHierarchy

Authenticated Role authenticated-role Home Org Policy for viewing Entitlements This Policy allows a user to implicitly view the entitlements and entitlement attributes that have been published to the user’s home organization. OrclOIMOrgScopingDirect =OrclOIMUserHomeOrgs
Authenticated Role authenticated-role HomeOrg Policy for actions on Entitlements This policy specifies the actions that a user can take on the entitlements provisioned to another user in the same home organization, and whether these actions require approval. By default, approval is required. OrclOIMNeedApproval=true

OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

Catalog Administrator OIM Catalog Administrator Role Request Profile Management Policy This policy controls the actions that a member of the Catalog Administrator role can perform while managing request profiles.
Authenticated Role authenticated-role OIM Request Profile All User ViewSearch Policy This policy controls the view and search permissions on requests catalogs by all users.
System Configuration Administrator OIM System Configurator OIM Approval Policy Administrator Policy This policy controls the permissions for approval policy administration by the System Configuration Administrator.
System Configuration Administrator OIM System Configurator Diagnostic Dashboard Administrator Policy The Diagnostic Dashboard is a diagnostic utility for Oracle Identity Manager. This policy specifies who can access the Diagnostic Dashboard and what actions they can perform.
System Configuration Administrator OIM System Configurator OIM resource object administration Policy This policy controls the permissions for resource object administration by the System Configuration Administrators.
System Configuration Administrator OIM System Configurator Notification Administrator Policy This policy specifies the actions that a notification administrator can perform.
System Configuration Administrator OIM System Configurator OIM Platform Service Administrator Policy This policy specifies the actions that a platform service administrator can perform.
System Configuration Administrator OIM System Configurator Plugin Administrator Policy This policy controls who can register and unregister plug-ins. By default, only members of the System Administrator and System Configuration Administrator admin roles can register and unregister plug-ins.
System Configuration Administrator OIM System Configurator System Configurator Policy for System Admin Console This policy controls whether members of the System Configuration Administrator admin role can access Oracle Identity System Administration.
Application Instance Administrator OIM Application Instance Administrator OIM UI App Instance Administrator Policy This policy specifies the actions that an Application Instance Administrator can perform in the UI.
Entitlement Administrator OIM Entitlement Administrator OIM UI Entitlement Administrator Policy This policy specifies the actions that an Entitlement Administrator can perform in the UI.
Application Instance Administrator

System Configuration Administrator

OIM Application Instance Administrator

OIM System Configurator

Request Dataset Policy This Policy is used to control the actions that members of the System Configuration Administrator role can perform on request datasets. OrclOIMOrgScopingDirect=OrclOIMSystemConfiguratorOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMSystemConfiguratorOrgsWithHierarchy

System Configuration Administrator OIM System Configurator Reconciliation Administrator Policy A Reconciliation Administrator can perform actions on reconciliation events. This policy controls what actions a Reconciliation Administrator can perform.
System Configuration Administrator OIM System Configurator OIM Scheduler Administrator Policy A Scheduler Administrator can perform actions on scheduled tasks. This policy controls what actions a Scheduler Administrator can perform.
System Configuration Administrator OIM System Configurator System Properties Administration Policy This policy specifies the actions and determines who can perform them as part of managing the Oracle Identity Manager system properties. The default behavior allows only the System Configuration Administrators to manage the system properties.
System Configuration Administrator OIM System Configurator OIM User Management Configuration Administrator Policy This policy controls what user configuration capabilities are available to a member of the System Configuration Administrator role.
Authenticated Role authenticated-role Home Org Policy for Organizations This policy allows a user to implicitly view the application instances, accounts, entitlements and entitlement attributes, and users that have been published to the user’s home organization. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

OrclOIMNeedApproval=true

User Administrator OIM User Admin User Admin Policy for user modification User Admin is an organization-scoped admin role. Members of this role manage users, and their actions do not require approval. This policy specifies whether User Administrators can modify user attributes, the attributes they cannot modify, and whether their modification requires approval. By default, members of this role can modify all user attributes, and their actions do not require approval. OrclOIMDeniedAttributesWithoutApproval=

OrclOIMNeedApproval=false

OrclOIMOrgScopingDirect=OrclOIMUserAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserAdminOrgsWithHierarchy

User Administrator OIM User Admin User Administrator Policy for Admin Actions A User Administrator is an organization-scoped admin role. Members of this role can perform actions on users in their organizations’ scope without approval. This policy covers all actions other than view actions. It returns an obligation indicating that approval is not required for the enabled actions. OrclOIMNeedApproval=false

OrclOIMOrgScopingWithHierarchy=OrclOIMUserAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserAdminOrgsDirect

User Administrator OIM User Admin OIM User Admin Policy direct with attributes This policy controls the direct actions that the User Administrators can perform on users and user attributes. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMUserAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserAdminOrgsDirect

User Administrator OIM User Admin User Admin Policy for non-requestable actions User Administrator is an organization-scoped admin role. Members of this role manage users, and their actions do not require approval. This Policy specifies the actions a member of the role can perform on a user, which do not require approval. OrclOIMOrgScopingDirect=OrclOIMUserAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserAdminOrgsWithHierarchy

User Help Desk OIM User Password Admin Help Desk Policy for managing user status This policy controls the actions that member of the User Help Desk admin role can take as part of managing a user’s account status and whether it requires approvals. By default, members of the role can enable/disable a user’s status without approval. OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMNeedApproval=true

User Help Desk OIM User Password Admin OIM User HelpDesk Policy for modify user accounts This policy controls the actions that a member of the User Help Desk admin role can take as part of modifying a user’s account. OrclOIMNeedApproval=false

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

User Help Desk OIM User Password Admin Help Desk Admin Policy for User search User Help Desk is an organization-scoped admin role. Members of this role can search for users, modify user profiles, and change user passwords. This policy specifies whether members of the role can search for users and whether they can view any user attributes. By default, members of this admin role can see all user attributes. OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

User Help Desk OIM User Password Admin Help Desk User Policy for Password Management Members of the User Help Desk admin role can search for users, modify user profiles, and change user passwords. This policy specifies whether members of the role can manage user passwords, lock/unlock accounts, and view requests raised by users OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

User Help Desk OIM User Password Admin OIM User HelpDesk UnLockUser Policy direct This policy determines if the User Help Desk can directly unlock a user account. OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMAllowOnlyIfLockedByFailLoginAttempts=true

User Help Desk OIM User Password Admin OIM HelpDesk Basic Info Application Instance Direct Policy This policy specifies the direct view and search permissions on application instances by members of the User Help Desk admin role. OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

User Help Desk OIM User Password Admin OIM HelpDesk Basic Info IT Resource Entitlement Direct Policy This policy specifies the direct view and search permissions on IT resource entitlements by members of the User Help Desk admin role. OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

User Help Desk OIM User Password Admin OIM HelpDesk Basic Info Role Direct Policy This policy specifies the direct view and search permissions on roles by members of the User Help Desk admin role. OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

User Help Desk OIM User Password Admin OIM HelpDesk Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by members of the User Help Desk admin role. OrclOIMOrgScopingWithHierarchy=OrclOIMUserHelpDeskOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserHelpDeskOrgsDirect

User Viewer OIM User Viewer User Viewer Policy for Request Actions User Viewer is an organization-scoped admin role. This policy controls whether a member of the admin role can modify a user’s profile and whether the action requires approval or not. By default, user modification requests submitted by members of the User Viewer role require approval. OrclOIMNeedApproval=true

OrclOIMDeniedAttributesWithApproval=

OrclOIMOrgScopingDirect=OrclOIMUserViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserViewerOrgsWithHierarchy

User Viewer OIM User Viewer User Viewer Policy for User management This policy controls what actions can be performed by a member of the User Viewer role, and whether or not those actions require approval. OrclOIMOrgScopingWithHierarchy=OrclOIMUserViewerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMUserViewerOrgsDirect

OrclOIMNeedApproval=true

User Viewer OIM User Viewer Default User Viewer Policy The User Viewer admin role controls what users and their attributes and grants an authenticated user can search for and view. OrclOIMOrgScopingDirect=OrclOIMUserViewerOrgsDirect

OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMUserViewerOrgsWithHierarchy

User Viewer OIM User Viewer User Viewer Policy This policy controls the attributes and the relationships of a user that a member of the User Viewer admin role can view. OrclOIMOrgScopingDirect=OrclOIMUserViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMUserViewerOrgsWithHierarchy

Authenticated Role authenticated-role Management Chain Policy for user modification This policy specifies whether a user can modify another user in the user’s management chain and if the action requires approval. The policy also specifies which user attributes do not require approval. By default, modification of any user attribute excluding password requires approval. OrclOIMUserManagementScoping=OrclOIMUserId

OrclOIMNeedApproval=true

OrclOIMDeniedAttributesWithApproval=

Authenticated Role authenticated-role Management Chain Policy for actions on users This policy controls what actions a user can perform on other users in their management chain and whether those actions require approval. By default, approval is required. OrclOIMNeedApproval=true

OrclOIMUserManagementScoping=OrclOIMUserId

Authenticated Role authenticated-role Management Chain Policy for User search This policy allows users to search for other users in their management chain and view allowed attributes. By default, users can view all attributes of other users in their management chain. OrclOIMDeniedAttributesDirect=

OrclOIMUserManagementScoping=OrclOIMUserId

Authenticated Role authenticated-role Management Chain Policy for Admin Role actions This policy controls the actions that a user can take on admin roles granted to other users tin their management chain. OrclOIMUserManagementScoping=OrclOIMUserId
Authenticated Role authenticated-role Home Organization Approval Policy A home organization is the default organization that a user belongs to. This policy controls what actions a user can take in the user’s home organization, and it is used by the request engine to determine whether the action requires approval or not. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

OrclOIMNeedApproval=true

Authenticated Role authenticated-role Home Organization Approval with Attributes Policy This policy controls what actions a user can take in the user’s home organization, and it is used by the request engine to determine whether the action requires approval or not. OrclOIMDeniedAttributesWithApproval=USR_PASSWORD

OrclOIMNeedApproval=true

OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

Authenticated Role authenticated-role Home Org Policy for User attributes This policy controls the user attributes that are not visible to users when searching for and viewing user profiles of other users in the same home organization. By default, users can view all attributes. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

OrclOIMDeniedAttributesDirect=

Authenticated Role authenticated-role Home Org Policy for viewing user access This policy controls the actions that a user can take while viewing the access of another user in the same home organization. OrclOIMOrgScopingDirectAttributeOrclOIMUserHomeOrgs
Authenticated Role authenticated-role Policy for modification of self user profile This policy specifies the user attributes that a user can modify in the user’s own user profile, and whether the modification needs approval. By default, a user can modify any attribute in the user’s own profile, and the modification requires approval. OrclOIMNeedApproval=true

OrclOIMDeniedAttributesWithApproval=

Authenticated Role authenticated-role User Self Service Policy for Request Actions This policy controls the actions authenticated users can take in Identity Self Service, and whether or not approvals are required. OrclOIMNeedApproval=true
Authenticated Role authenticated-role User attribute view Policy for self This policy specifies whether an authenticated user can view the user’s own user attributes, and the attributes that cannot be viewed. By default, all user attributes can be viewed. OrclOIMDeniedAttributesDirect=
Authenticated Role authenticated-role User Self Service Policy for view actions This policy specifies the actions that a user can take on the user’s own profile, which does not initiate a request.
SPML Admin OIM SPML Admin SPML Admin Policy for User updates SPML Admin is a global admin role. This admin role is used by the SPML web service to carry out user management operations. This policy specifies whether members of the role can modify users and if the action requires approval. By default, user modification by members of the role requires approval. OrclOIMOrgScopingDirect=OrclOIMSPMLAdminOrgsDirect

OrclOIMNeedApproval=true

OrclOIMDeniedAttributesWithApproval=

OrclOIMOrgScopingWithHierarchy=OrclOIMSPMLAdminOrgsWithHierarchy

SPML Admin OIM SPML Admin SPML Admin Policy for actions on Users This policy controls that actions that a member of the SPML Admin role can take while managing users and whether approval is required. By default, user management actions performed by members of this role require approval. OrclOIMOrgScopingDirect=OrclOIMSPMLAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMSPMLAdminOrgsWithHierarchy

OrclOIMNeedApproval=true

SPML Admin OIM SPML Admin SPML Administrator Policy This policy specifies the actions that the SPML Admin can take on users. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingDirect=OrclOIMSPMLAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMSPMLAdminOrgsWithHierarchy

SPML Admin OIM SPML Admin SPML Admin Policy for role membership actions This policy controls the role membership actions that a member of the SPML Admin role can perform and whether the actions require approval. By default, the actions require approval. OrclOIMOrgScopingWithHierarchy=OrclOIMSPMLAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMSPMLAdminOrgsDirect

OrclOIMNeedApproval=true

SPML Admin OIM SPML Admin OIM Role SPML Admin Policy direct with attributes This policy specifies the actions that the SPML Admin can directly take on roles and role attributes.
Role Authorizer OIM Role Authorizer Role Authorizer Policy for View actions The Role Authorizer admin role is an organization-scoped role. This policy controls the actions a Role Authorizer can perform without requiring approval. Actions, such as viewing role memberships and searching for roles, do not require approval. Searching for roles that are organization-scoped and viewing role members do not require approval. OrclOIMOrgScopingDirect=OrclOIMRoleAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAuthorizerOrgsWithHierarchy

Role Authorizer OIM Role Authorizer Role Authorizer Policy for Request actions This policy controls the actions a Role Authorizer can perform that require approval. By default, granting and revoking of role membership by a member of this role does not require approval. OrclOIMNeedApproval=false

OrclOIMOrgScopingDirect=OrclOIMRoleAuthorizerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAuthorizerOrgsWithHierarchy

Role Authorizer OIM Role Authorizer OIM RoleAuthorizer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Role Authorizers. OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAuthorizerOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMRoleAuthorizerOrgsDirect

Role Authorizer OIM Role Authorizer OIM RoleAuthorizer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Role Authorizers. OrclOIMOrgScopingDirect=OrclOIMRoleAuthorizerOrgsDirect

OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAuthorizerOrgsWithHierarchy

Role Viewer OIM Role Viewer Role Viewer Policy A Role Viewer is an admin role in Oracle Identity Manager. This policy controls what actions a member of the role can perform. By default, this policy allows a member of this admin role to search for and view roles. OrclOIMOrgScopingDirect=OrclOIMRoleViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleViewerOrgsWithHierarchy

Role Viewer OIM Role Viewer Role Viewer Policy for Role Membership This policy controls the actions that a role viewer can perform and whether those actions require approval. By default, approval is required. OrclOIMOrgScopingDirect=OrclOIMRoleViewerOrgsDirect

OrclOIMNeedApproval=true

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleViewerOrgsWithHierarchy

Role Viewer OIM Role Viewer OIM RoleViewer Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Role Viewers. OrclOIMOrgScopingDirect=OrclOIMRoleViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleViewerOrgsWithHierarchy

Role Viewer OIM Role Viewer OIM RoleViewer Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Role Viewers. OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingDirect=OrclOIMRoleViewerOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleViewerOrgsWithHierarchy

Authenticated Role authenticated-role Home Org Policy for Role memberships This policy controls the grant role membership and revoke role membership actions that a user can perform in the user’s home org and whether it requires approval. By default, approval is required. OrclOIMNeedApproval=true

OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs

Authenticated Role authenticated-role Home Org Policy for Roles This policy allows a user to implicitly view the roles and role attributes that have been published to the user’s home organization. OrclOIMOrgScopingDirect=OrclOIMUserHomeOrgs
Role Administrator OIM Role Administrator OIM Role Administrator Policy with approval Role Administrator is an organization-scoped admin role. This policy specifies the actions that the Role Administrator can perform with approval. OrclOIMOrgScopingDirect=OrclOIMRoleAdminOrgsDirect

OrclOIMNeedApproval=false

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAdminOrgsWithHierarchy

Role Administrator OIM Role Administrator Role Administrator Policy This Policy controls what actions a member of the Role Administrator admin role can perform. OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMRoleAdminOrgsDirect

Role Administrator OIM Role Administrator OIM RoleAdministrator Basic Info Organization Direct Policy This policy specifies the direct view and search permissions on organizations by Role Administrators. OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAdminOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMRoleAdminOrgsDirect

Role Administrator OIM Role Administrator OIM RoleAdministrator Basic Info User Direct WithAttributes Policy This policy specifies the direct view and search permissions on users and user attributes by Role Administrators. OrclOIMOrgScopingDirect=OrclOIMRoleAdminOrgsDirect

OrclOIMDeniedAttributesDirect=

OrclOIMOrgScopingWithHierarchy=OrclOIMRoleAdminOrgsWithHierarchy

System Configuration Administrator OIM System Configurator System Configurator Policy for OIM entities The System Configuration Administrator admin role is a global role. This policy controls what actions a member of the role can perform on users, entitlements, roles, organizations, and application instances. Members can manage application instances in the Identity System Administration, but have viewer admin role capabilities in the Identity Self Service. OrclOIMOrgScopingWithHierarchy=OrclOIMSystemConfiguratorOrgsWithHierarchy

OrclOIMOrgScopingDirect=OrclOIMSystemConfiguratorOrgsDirect

System Configuration Administrator OIM System Configurator System Configurator Policy This policy controls the actions that members of the System Configuration Administrator admin role can perform. Members of this admin role carry out post-install product configuration activities, and can perform all configuration activities that a system administrator can. However, members of the System Configuration Administrator admin role do not have the implicit user, role, and application instance administrator capabilities that members of the System Administrator admin role have.
System Configuration Administrator OIM System Configurator System Configurator Policy deny policy for User This policy controls the actions that a member of the System Configuration Administrator can perform for the user entity.
Catalog Administrator OIM Catalog Administrator Role View Policy for Catalog Administrators This policy controls the view permission on catalog entities for the Catalog Administrator. OrclOIMOrgScopingDirect=OrclOIMCatalogAdminOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMCatalogAdminOrgsWithHierarchy

Authenticated Role authenticated-role OIM Entity Assigned to User Direct Policy This policy controls the actions that authenticated users can perform on the assigned entities.
Authenticated Role authenticated-role OIM Entity Assigned to User Approval Policy This policy controls the actions that authenticated users can perform on the assigned entities. OrclOIMNeedApproval=true
Certification Administrator OIM Certification Administrator OIM UI Certification Administrator Policy This policy grants access to Identity System Administration UI that contains screens for certification configuration and certification definition.
Certification Administrator OIM Certification Administrator Certification Administrator All Entities Search Policy This policy grants view and search capability to Oracle Identity Manager entities required to design certification definitions. The entities include application instances, entitlements, organizations, users, enterprise roles, and catalog items. This policy is used to construct certification definitions. OrclOIMOrgScopingDirect=OrclOIMCertificationAdministratorOrgsDirect

OrclOIMOrgScopingWithHierarchy=OrclOIMCertificationAdministratorOrgsWithHierarchy

Certification Administrator OIM Certification Administrator Certification Administrator Policy This policy grants update access to certification configuration objects, such as certification configuration and definitions.
Certification Administrator OIM Certification Administrator Scheduler Certification Administrator Policy This policy grants access to the Scheduler. Certifications are produced from certification definitions by running a scheduled job.
Certification Administrator OIM Certification Administrator Certification Certification Administrator Policy This policy grants update access to certification instances.

Note: Certification view and update access for reviewers (non-admin users) are granted directly by the certification authorization.

Certification Viewer OIM Certification Viewer Certification Certification Viewer Policy This policy grants view access to certification instances.

Note: Certification Administrator has all Certification Viewer privileges.

There are some application roles in OES that cannot be granted to users in Oracle Identity Manager, and therefore, do not have corresponding admin roles in Oracle Identity Manager. The policies associated with these application roles are used for request-related operations. For example, the policies associated with the OIM Request Approver application role are used to control the operations of the approver of a request. Table 3-4 lists the application roles that do not have corresponding admin roles in Oracle Identity Manager, and the associated policies.

Leave a Reply

Your email address will not be published. Required fields are marked *