Administrator permissions for user-provisioning functions

You must have the appropriate administrator permissions to perform each user-provisioning function.
Table 1. Permissions required for user provisioning functions
To do the following... You must have these permissions...
View:
  • The Settings menu > Users and Security > Users menu item (Task Focused UI)
  • The Administration > Users menu item and the View, Edit, or Disable User field on the Users landing page (Standard UI)
 Browse on any security domain or any user group.
View:
  • The Create User button from a list of users and create new users (Task Focused UI)
  • The Create User button on the Users landing page and create new users (Standard UI)
 Manage on any security domain or any user group.

If LDAP Server integration is configured, there is an additional field that you can use to search for user in LDAP Server and prepopulate their user information. For more information, see LDAP and user provisioning.
Edit user information Manage on any security domain or any user group that includes the user account.
Enable and disable user accounts

Manage on any security domain or any user group that includes the user account.

To clear direct role assignments when you disable a user account, you must have Assign Role on the root security domain.

To clear group memberships when you disable a user account, you must have Manage on the top-level user group.

To clear direct reports access when you disable a user account, you must belong to the OPAdministrators group.

Note that an administrator cannot disable their own account.

For information about the difference between disabling and locking user accounts, see Modifying user accounts.
Lock user accounts Lock on any security domain or any user group that includes the user account.

Note that an administrator cannot lock their own account.
Unlock user accounts Unlock on any security domain or any user group that includes the user account.
Edit user passwords

This includes the Password and Confirm Password fields.

Reset Password on any security domain or any user group that includes the user account.

Configure password options and edit configured password options

This includes the following options: User must change password at next log on, User cannot change password, Password never expires, Password expires in <n> days, and Force Password Change.

Manage on any security domain or any user group that includes the user account.

Note that an administrator can force a password change for their account and reset their password.
Edit a user's locale and profile information Manage on any security domain or any user group that includes the user account.
Modify a user's group memberships Manage on the top-level user group.
Add role assignments to a user Manage and Assign Role on the root security domain.
Remove role assignments from a user Assign Role on the root security domain.
View a user's reports access OPAdministrators group membership. Information is read-only.
Copy access from one user to a new or existing user

This includes locale, profiles, group memberships, and direct role assignments.

 Manage on the top-level user group and Manage and Assign Role on the root security domain.
Copy direct reports access from one user to a new or existing user Manage on the top-level user group, Manage and Assign Role on the root security domain, and OPAdministrators group membership. Information is read-only.

Example

Figure 1 shows a diagram with a sample security administration structure.

Figure 1. Sample security administration
Organizational chart showing Company ABC Group at the beginning. Asia Pacific, North America, and Europe groups are subordinate to it. USA Group is subordinate to North America Group. Boston and New York groups are subordinate to USA Group.