Administrator permissions for user-provisioning functions
To do the following... | You must have these permissions... |
---|---|
View:
|
Browse on any security domain or any user group. |
View:
|
Manage on any security domain or any user group. If LDAP Server integration is configured, there is an additional field that you can use to search for user in LDAP Server and prepopulate their user information. For more information, see LDAP and user provisioning. |
Edit user information | Manage on any security domain or any user group that includes the user account. |
Enable and disable user accounts |
Manage on any security domain or any user group that includes the user account. To clear direct role assignments when you disable a user account, you must have Assign Role on the root security domain. To clear group memberships when you disable a user account, you must have Manage on the top-level user group. To clear direct reports access when you disable a user account, you must belong to the OPAdministrators group. Note that an administrator cannot disable their own account. For information about the difference between disabling and locking user accounts, see Modifying user accounts. |
Lock user accounts | Lock on any security domain or any user group that includes the user
account. Note that an administrator cannot lock their own account. |
Unlock user accounts | Unlock on any security domain or any user group that includes the user account. |
Edit user passwords This includes the Password and Confirm Password fields. |
Reset Password on any security domain or any user group that includes the user account. |
Configure password options and edit configured password options This includes the following options: User must change password at next log on, User cannot change password, Password never expires, Password expires in <n> days, and Force Password Change. |
Manage on any security domain or any user group that includes the user account. Note that an administrator can force a password change for their account and reset their password. |
Edit a user's locale and profile information | Manage on any security domain or any user group that includes the user account. |
Modify a user's group memberships | Manage on the top-level user group. |
Add role assignments to a user | Manage and Assign Role on the root security domain. |
Remove role assignments from a user | Assign Role on the root security domain. |
View a user's reports access | OPAdministrators group membership. Information is read-only. |
Copy access from one user to a new or existing user This includes locale, profiles, group memberships, and direct role assignments. |
Manage on the top-level user group and Manage and Assign Role on the root security domain. |
Copy direct reports access from one user to a new or existing user | Manage on the top-level user group, Manage and Assign Role on the root security domain, and OPAdministrators group membership. Information is read-only. |
Example
Figure 1 shows a diagram with a sample security administration structure.