======Sun IDM: Admin roles======

Remember what the IDM documentation say : //Do not confuse roles with admin-roles. Roles are used to manage end-users’ access to external resources, whereas admin-roles are primarily used to manage Identity Manager administrator access to Identity Manager objects.//

Admin roles can be assigned dynamically by a rule. However, regarding which capabilities you assin, you probably change the system configuration to enable check at login. Otherwise, if you assign a role with a capability like //View User// and if the user doesn't have admin cap (assigned in a static way) the user won't be able to access to the admin interface.

===Enable checkDynamicallyAssignedAdminRolesAtLoginTo===

Hit /idm/debug/, select //Configuration// and click //List Objects//. Click on the //edit// button for //System Configuration// and modify the XML to have something like:

<code xml>
                <Attribute name='authz'>
                    <Object>
                        <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'>
                            <Object>
                                <Attribute name='Administrator Interface'>
                                    <Boolean>true</Boolean>
                                </Attribute>
                                <Attribute name='Service Provider User Interface'>
                                    <Boolean>false</Boolean>
                                </Attribute>
                                <Attribute name='User Interface'>
                                    <Boolean>true</Boolean>
                                </Attribute>
</code>

and click on the //save// button.

===Rule example to assign a role===

This is a very simple rule that return true if the user match the string //bbonfils//.

<code xml>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule id='#ID#Rule:assignManagerAdminRole' name='assignManagerAdminRole' authType='UserIsAssignedAdminRoleRule'>
    <MemberObjectGroups>
        <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
    </MemberObjectGroups>
    <RuleArgument name='context'>
        <Comments>
          Identity session context (e.g. Lighthouse context)
        </Comments>
    </RuleArgument>

    <RuleArgument name='runAsUser'>
        <Comments>
          The User view of the user the rule will run as.
        </Comments>
    </RuleArgument>

    <cond>
        <ref>runAsUser</ref>
        <cond>
            <!-- Remember that CMP returns 0 if string are equals -->
            <cmp><ref>runAsUser.waveset.accountId</ref><s>bbonfils</s></cmp>
            <s>false</s>
            <s>true</s>
        </cond>
        <s>false</s>
    </cond>

    <MemberObjectGroups>
        <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
</Rule>

</code>