Delegated Administration Privileges determine the users, roles and organization information that delegated administrators (local administrators) can manage. Each privilege is granted separately, yet the three work in conjunction to provide the complete set of abilities for the delegated administrator. In the Oracle User Management Overview section, see Delegated Administration.
A local administrator must be granted User Administration Privileges to determine the users and people the local administrator can manage. Local administrators can be granted different privileges for different subsets of users. For example, a local administrator can be granted privileges only to query one set of users, and granted full privileges (including update and reset password) for another set. Local administrators cannot query users for which they do not have administration privileges.
Oracle User Management ships with the following seeded permissions for defining user administration privileges for roles:
Seeded User Administration Permissions
| Function Code | Display name | Description |
|---|---|---|
| UMX_OBJ_ACTIVATE_ACCT | Create, Inactivate, Reactivate User Account, Update Username | Permission for creating, inactivating, and reactivating user accounts, and updating user name. Must be granted with a data security policy on the User Management Person. |
| UMX_OBJ_EDIT_PERSON | Edit Person Details | Permission for editing person details. Must be granted with a data security policy on the User Management Person (UMX_PERSON_OBJECT) business object. |
| UMX_OBJ_PASSWD_MGMT | Reset Password | Permission to reset passwords. Must be granted with a data security policy on the User Management Person (UMX_PERSON_OBJECT) business object. |
| UMX_OBJ_VIEW_PERSON | Query Person Details | Permission to query person details Must be granted with a data security policy on the User Management Person (UMX_PERSON_OBJECT) business object.
Additional Information: This is the minimum permission required by any security administrator that wishes to manage people and users in Oracle User Management. |
| UMX_SYSTEM_ACCT_ADMINSTRATION | Maintain System Accounts (users not linked to a person) | Create, Inactivate, Reactivate, Reset Password for all System Accounts (defined as user accounts not associated with a person).
Additional Information: Only grant to System Administrators. |
Log on as a user that is assigned the Security Administrator role (typically as sysadmin), select the User Management responsibility in the navigator and then click the Roles & Role Inheritance subtab.
In the role hierarchy, access the role to which you want to assign user administration privileges and click the Update icon.
Click on the Security Wizards button.
Click on the Run Wizard icon for "User Management: Security Administration Setup".
Click the User Administration subtab and then click the Add More Rows button.
In the Users field, select the set of users that can be managed by Administrators to whom the role is assigned. The drop-down list contains various data security policies that pertain to the User Management Person Object (UMX_PERSON_OBJECT). Oracle User Management ships with sample data security policies for users. Organizations can use these policies or create their own. For more information, see Defining Data Security Policies.
In the Permissions field, select the permissions that you wish to associate with the delegated administration role. Permissions determine the actions an administrator can perform when managing the set of users defined in the previous step. The Permissions drop-down list includes permission sets that contain permissions associated with the User Management Person object. Different combinations of the existing permissions can be grouped into new permission sets, enabling organizations to add permission sets based on their business needs and the level of granularity they prefer for administering users. For more information, see Permission Sets.
Click Save or Apply to save your changes.
Delegated administration can provide different permissions on different subsets of users. Once you define users and permissions for a role, you can optionally view the permissions that belong to the permission set by clicking the Show node. You can also remove the user administration privileges for a set of users by clicking the Remove icon.
Role Administration Privileges define the roles that local administrators can directly assign to and revoke from the set of users they manage.
Oracle User Management ships with the following seeded permission for defining role administration privileges for roles:
Seeded Role Administration Permission
| Function Code | Display Name | Description |
|---|---|---|
| UMX_OBJ_ADMIN_ROLE | Assign/Revoke Role | Permission for assigning/revoking roles in the User Management application. Must be granted with a data security policy on the User Management Role (UMX_ACCESS_ROLE) business object. |
Log on as a user that is assigned the Security Administrator role (typically as sysadmin), select the User Management responsibility in the navigator and then click the Roles & Role Inheritance subtab.
In the navigation menu, access the role for which you want to define role administration and click the Update icon.
Click on the Security Wizards button.
Click on the Run Wizard icon for "User Management: Security Administration Setup".
Click the "Role Administration" link and use the Available Roles fields to search for the role(s) that you want to associate with this role and which administrators can manage once they are assigned this role.
Select the desired role(s), move them to the Selected Roles column and click Save or Apply.
The Save button saves your changes and continues to display them in the current page. The Apply button saves your changes and returns to the previous page.
Organization Administration Privileges define the external organizations a local administrator can view in Oracle User Management. This privilege enables an administrator to search for people based on their organization, assuming the local administrator has also been granted access to view the people in that organization (User Administration Privileges). Depending on what administration account registration process has been granted, the administrator may have the ability to register new people for that organization.
Oracle User Management ships with the following seeded permission for defining organization administration privileges for roles:
Seeded Organization Administration Permission
| Function Code | Display Name | Description |
|---|---|---|
| UMX_OBJ_VIEW_RLTNSHPS | Query/Register Organization Relationship | Permission to query/register organization relationship. Must be granted with a data security policy on the User Management Organization (UMX_ORGANIZATION_OBJECT) business object. |
Log on as a user that is assigned the Security Administrator role (typically as sysadmin), select the User Management responsibility in the navigator and then click the Roles & Role Inheritance subtab.
In the navigation menu, access the role to which you want to define organization administration and click the Update icon.
Click on the Security Wizards button.
Click on the Run Wizard icon for "User Management : Security Administration Setup".
Click the "Organization Administration" link and then click the Assign Organization Privileges button. The drop-down list contains various data security policies that pertain to the User Management Person Object (UMX_PERSON_OBJECT). Oracle User Management ships with sample data security policies for organization administration privileges. Organizations can use these policies to create their own.
Search for and select the appropriate organization privileges.
Click Save or Apply to save your changes.
The Save button saves your changes and continues to display them in the current page. The Apply button saves your changes and returns to the previous page.