Sun IDM: Admin roles

Remember what the IDM documentation say : Do not confuse roles with admin-roles. Roles are used to manage end-users’ access to external resources, whereas admin-roles are primarily used to manage Identity Manager administrator access to Identity Manager objects.

Admin roles can be assigned dynamically by a rule. However, regarding which capabilities you assin, you probably change the system configuration to enable check at login. Otherwise, if you assign a role with a capability like View User and if the user doesn't have admin cap (assigned in a static way) the user won't be able to access to the admin interface.

Enable checkDynamicallyAssignedAdminRolesAtLoginTo

Hit /idm/debug/, select Configuration and click List Objects. Click on the edit button for System Configuration and modify the XML to have something like:

                <Attribute name='authz'>
                    <Object>
                        <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'>
                            <Object>
                                <Attribute name='Administrator Interface'>
                                    <Boolean>true</Boolean>
                                </Attribute>
                                <Attribute name='Service Provider User Interface'>
                                    <Boolean>false</Boolean>
                                </Attribute>
                                <Attribute name='User Interface'>
                                    <Boolean>true</Boolean>
                                </Attribute>

and click on the save button.

Rule example to assign a role

This is a very simple rule that return true if the user match the string bbonfils.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule id='#ID#Rule:assignManagerAdminRole' name='assignManagerAdminRole' authType='UserIsAssignedAdminRoleRule'>
    <MemberObjectGroups>
        <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
    </MemberObjectGroups>
    <RuleArgument name='context'>
        <Comments>
          Identity session context (e.g. Lighthouse context)
        </Comments>
    </RuleArgument>
 
    <RuleArgument name='runAsUser'>
        <Comments>
          The User view of the user the rule will run as.
        </Comments>
    </RuleArgument>
 
    <cond>
        <ref>runAsUser</ref>
        <cond>
            <!-- Remember that CMP returns 0 if string are equals -->
            <cmp><ref>runAsUser.waveset.accountId</ref><s>bbonfils</s></cmp>
            <s>false</s>
            <s>true</s>
        </cond>
        <s>false</s>
    </cond>
 
    <MemberObjectGroups>
        <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/>
    </MemberObjectGroups>
</Rule>