Sun IDM: Admin rolesRemember what the IDM documentation say : Do not confuse roles with admin-roles. Roles are used to manage end-users’ access to external resources, whereas admin-roles are primarily used to manage Identity Manager administrator access to Identity Manager objects. Admin roles can be assigned dynamically by a rule. However, regarding which capabilities you assin, you probably change the system configuration to enable check at login. Otherwise, if you assign a role with a capability like View User and if the user doesn't have admin cap (assigned in a static way) the user won't be able to access to the admin interface. Enable checkDynamicallyAssignedAdminRolesAtLoginToHit /idm/debug/, select Configuration and click List Objects. Click on the edit button for System Configuration and modify the XML to have something like: <Attribute name='authz'> <Object> <Attribute name='checkDynamicallyAssignedAdminRolesAtLoginTo'> <Object> <Attribute name='Administrator Interface'> <Boolean>true</Boolean> </Attribute> <Attribute name='Service Provider User Interface'> <Boolean>false</Boolean> </Attribute> <Attribute name='User Interface'> <Boolean>true</Boolean> </Attribute> and click on the save button. Rule example to assign a roleThis is a very simple rule that return true if the user match the string bbonfils. <?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'> <Rule id='#ID#Rule:assignManagerAdminRole' name='assignManagerAdminRole' authType='UserIsAssignedAdminRoleRule'> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/> </MemberObjectGroups> <RuleArgument name='context'> <Comments> Identity session context (e.g. Lighthouse context) </Comments> </RuleArgument> <RuleArgument name='runAsUser'> <Comments> The User view of the user the rule will run as. </Comments> </RuleArgument> <cond> <ref>runAsUser</ref> <cond> <!-- Remember that CMP returns 0 if string are equals --> <cmp><ref>runAsUser.waveset.accountId</ref><s>bbonfils</s></cmp> <s>false</s> <s>true</s> </cond> <s>false</s> </cond> <MemberObjectGroups> <ObjectRef type='ObjectGroup' id='#ID#All' name='All'/> </MemberObjectGroups> </Rule> |
Welcome to Bruno Bonfils's (aka asyd homepage).