Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The following table describes the permissions at Tenant level. These are also referred to as Admin permissions.

    Info

    Note that when you select a node in the Permissions navigator, all the subordinate permissions that are listed under the selected node are also automatically enabled.

    Permission levelDescription of UI menus enabled
    Admin

    When the Admin permission node is selected, the following menus are enabled in the management console:

    - User Store Management: This permission allows users to add new user stores and manage them with the management console. Note that only secondary user stores can be added using this option. See the topic on user store management for more details.
    - Identity Providers:  See the topic on working with identity providers for details on how to use this option.

    - Additionally, all permissions listed under Admin in the permissions navigator are selected automatically.

    Admin/ConfigureWhen the Admin/Configure permission node is selected, the following menus are enabled in the management console:

    - Main     menu/PAP: See the topic on working with entitlement for details on how to use this option.
    - Main     menu/PDP: See the topic on working with entitlement for details on how to use this option.

    - Configure     menu/Server Roles: See the topic on server roles for more details.
    - Tools     menu/Tryit (XACML): See the topic on working with the TryIt tool for details on how to use this option.

    - Additionally, all permissions listed under Configure in the permissions navigator are selected automatically.
    Admin/Configure/SecurityWhen the Admin/Configure/Security permission node is selected, the following menus are enabled in the Configure menu of the management console:

    - Claim Management: See the topic on claim management for details on how to use this option.
    - Keystores: See the topic on keystores for details on how to use this option.
    - Service Principle (Kerberos KDC): See the topic on kerberos security for details on how to use this option.
    - Email Templates: See the topics on email templates for details on how to use this option.

    - This permission will also enable the Roles option under Configure/Users and Roles.     See the topic on configuring users, roles and permissions for more information.

    - Additionally, all permissions listed under Security in the permissions navigator are selected automatically.
    Admin/Configure/Security/Identity Management/User ManagementThis permission enables the possibility to add users from the management console. That is, the Users option will be enabled under Configure/Users and Roles.
    Admin/Configure/Security/Identity Management/Password ManagementThis permission enables the Change Password option for the users listed in the User Management/Users and Roles/Users screen, which allows the log in user to change the passwords
    Admin/Configure/Security/Identity Management/Profile ManagementThis permission enables the User Profile option for the users listed in the User Management/Users and Roles/Users screen, which allows the log in user to update user profiles.
    Admin/ManageWhen the Admin/Manage permission is selected, the following menus will be enabled in the management console:

    - Main menu/Service Providers: See the topic on working with service providers for details on how to use this option.
    - Tools menu/SAML: See the topic on working with the SAML tool kit for more details.

    - Additionally, all permissions listed under Admin/Manage in the permissions navigator will be enabled automatically. 
    Admin/Manage/Resources/BrowseThis permission enables the Browse option under the Registry menu in the main navigator. This option allows users to browse the resources stored in the registry by using the Registry tree navigator.
    Admin/Manage/SearchThis permission enables the Search option under the Registry sub menu in the Main menu. This option allows users to search for specific resources stored in the registry by filling in the search criteria.
    Admin/MonitorWhen the Admin/Monitor permission node is selected, the following menus are enabled in the management console:

    - Monitor menu/System Statistics: See the topic on system statistics for information on how to use this option.
    - Monitor menu/SOAP Message Tracer: See the topic on the SOAP tracer for information on how to use this option.

    - Additionally, all permissions listed under Admin/Monitor in the permissions navigator will be enabled automatically. 
    Admin/Monitor/LogsWhen the Admin/Monitor/Logs permission node is selected, the following menus are enabled in the management console:

    - Monitor menu/Application Logs
    - Monitor menu/System Logs  See the topic on system logs for information on how to use these options.

Permissions required to invoke admin services

The following table lists out the various operations that can be performed with different permission levels.

Permission levelServiceOperations
Tenant level permissions
/adminUserStoreConfigAdminService
  • addUserStore
  • changeUserStoreState
  • deleteUserStore
  • deleteUserStoresSet
  • editUserStore
  • editUserStoreWithDomainName
  • getAvailableUserStoreClasses
  • getSecondaryRealmConfigurations
  • getUserStoreManagerProperties
/admin/configure EntitlementAdminService
  • clearAllAttributeCaches
  • clearAllResourceCaches
  • clearAttributeFinderCache
  • clearAttributeFinderCacheByAt tributes
  • clearCarbonAttributeCache
  • clearCarbonResourceCache
  • clearDecisionCache
  • clearPolicyCache
  • clearResourceFinderCache
  • doTestRequest
  • doTestRequestForGivenPolicies
  • getGlobalPolicyAlgorithm
  • getPDPData
  • getPIPAttributeFinderData
  • getPIPResourceFinderData
  • getPolicyFinderData
  • refreshAttributeFinder
  • refreshPolicyFinders
  • refreshResourceFinder
  • setGlobalPolicyAlgorithm
EntitlementPolicyAdminService
  • addPolicies
  • addPolicy
  • addSubscriber
  • deleteSubscriber
  • dePromotePolicy
  • enableDisablePolicy
  • getAllPolicies
  • getAllPolicyIds
  • getEntitlementData
  • getEntitlementDataModules
  • getLightPolicy
  • getPolicy
  • getPolicyByVersion
  • getPolicyVersions
  • getPublisherModuleData
  • getStatusData
  • getSubscriber
  • getSubscriberIds
  • importPolicyFromRegistry
  • orderPolicy
  • publish
  • publishPolicies
  • publishToPDP
  • removePolicies
  • removePolicy
  • rollBackPolicy
  • updatePolicy
  • updateSubscriber
/admin/configure/security          ClaimManagementService
  • addNewClaimDialect
  • addNewClaimMapping
  • getClaimMappingByDialect
  • getClaimMappings
  • removeClaimDialect
  • removeClaimMapping
  • upateClaimMapping
KeyStoreAdminService
  • addKeyStore
  • addTrustStore
  • deleteStore
  • getKeystoreInfo
  • getPaginatedKeystoreInfo
  • getStoreEntries
  • importCertToStore
  • removeCertFromStore
RemoteAuthorizationManagerService
  • authorizeRole
  • authorizeUser
  • clearAllRoleAuthorization
  • clearAllUserAuthorization
  • clearResourceAuthorizations
  • clearRoleActionOnAllResources
  • clearRoleAuthorization
  • clearUserAuthorization
  • denyRole
  • denyUser
  • getAllowedRolesForResource
  • getAllowedUIResourcesForUser
  • getDeniedRolesForResource
  • getExplicitlyAllowedUsersForResource
  • getExplicitlyDeniedUsersForResource
  • isRoleAuthorized
  • isUserAuthorized
  • resetPermissionOnUpdateRole
RemoteClaimManagerService
  • addNewClaimMapping
  • deleteClaimMapping
  • getAllClaimMappings
  • getAllClaimUris
  • getAllRequiredClaimMappings
  • getAllSupportClaimMappingsByDefault
  • getAttributeName
  • getAttributeNameFromDomain
  • getClaim
  • getClaimMapping
  • updateClaimMapping
RemoteProfileConfigurationManagerService
  • addProfileConfig
  • deleteProfileConfig
  • getAllProfiles
  • getProfileConfig
  • updateProfileConfig
RemoteUserStoreManagerService
  • addRole
  • addUser
  • addUserClaimValue
  • addUserClaimValues
  • authenticate
  • deleteRole
  • deleteUser
  • deleteUserClaimValue
  • deleteUserClaimValues
  • getAllProfileNames
  • getHybridRoles
  • getPasswordExpirationTime
  • getProfileNames
  • getProperties
  • getRoleListOfUser
  • getRoleNames
  • getTenantId
  • getTenantIdofUser
  • getUserClaimValue
  • getUserClaimValues
  • getUserClaimValuesForClaims
  • getUserId
  • getUserList
  • getUserListOfRole
  • isExistingRole
  • isExistingUser
  • isReadOnly
  • listUsers
  • setUserClaimValue
  • setUserClaimValues
  • updateCredential
  • updateCredentialByAdmin
  • updateRoleListOfUser
  • updateRoleName
  • updateUserListOfRole
SCIMConfigAdminService
  • addGlobalProvider
  • deleteGlobalProvider
  • getAllGlobalProviders
  • getGlobalProvider
  • updateGlobalProvider
STSAdminService
  • addTrustedService
  • getCertAliasOfPrimaryKeyStore
  • getProofKeyType
  • getTrustedServices
  • removeTrustedService
  • setProofKeyType
 UserAdmin
  • addInternalRole
  • addRemoveRolesOfUser
  • addRemoveUsersOfRole
  • addRole
  • bulkImportUsers
  • deleteRole
  • getAllSharedRoleNames
  • getAllUIPermissions
  • getRolePermissions
  • getRolesOfUser
  • isSharedRolesEnabled
  • listUserByClaim
  • setRoleUIPermission
  • updateRoleName
  • updateRolesOfUser
  • updateUsersOfRole
/admin/configure/security/rolemgtUserAdmin
  • getUsersOfRole
/admin/configure/security/usermgtMultipleCredentialsUserAdmin
  • addUserWithUserId
  • authenticate
  • deleteUserClaimValue
  • deleteUserClaimValues
  • getUserClaimValue
  • getUserClaimValues
  • getUserId
  • setUserClaimValue
  • setUserClaimValues
/admin/configure/security/usermgt/passwordsMultipleCredentialsUserAdmin 
  • addCredential
  • deleteCredential
  • getCredentials
  • updateCredential
UserAdmin
  • changePassword
 /admin/configure/security/usermgt/provisioningSCIMConfigAdminService
  • addUserProvider
  • deleteUserProvider
  • getAllUserProviders
  • getUserProvider
  • updateUserProvider
/admin/configure/security/usermgt/usersMultipleCredentialsUserAdmin
  • addUser
  • addUsers
  • deleteUser
UserAdmin
  • addUser
  • deleteUser
/admin/loginAccountCredentialMgtConfigService
  • getEmailConfig
  • saveEmailConfig
EntitlementService
  • getAllEntitlements
  • getBooleanDecision
  • getDecision
  • getDecisionByAttributes
  • getEntitledAttributes
  • XACMLAuthzDecisionQuery
IdentityProviderAdminService
  • addOpenID
  • extractPrimaryUserName
  • getAllOpenIDs
  • getPrimaryOpenID
  • removeOpenID
  • getAllIdPs
IWAAuthenticator
  • canHandle
  • login
LoggedUserInfoAdmin
  • getUserInfo
MultipleCredentialsUserAdmin
  • getAllUserClaimValues
OAuthAdminService
  • getAppsAuthorizedByUser
  • revokeAuthzForAppsByResoureOwner
UserAdmin
  • changePasswordByUser
  • getRolesOfCurrentUser
  • getUserRealmInfo
  • hasMultipleUserStores
UserIdentityManagementAdminService
  • changeUserPassword
  • deleteUser
  • getAllChallengeQuestions
  • getAllPromotedUserChallenge
  • getAllUserIdentityClaims
  • getChallengeQuestionsOfUser
  • isReadOnlyUserStore
  • lockUserAccount
  • resetUserPassword
  • setChallengeQuestions
  • setChallengeQuestionsOfUser
  • unlockUserAccount
  • updateUserIdentityClaims
UserInformationRecoveryService
  • confirmUserSelfRegistration
  • getAllChallengeQuestions
  • getCaptcha
  • getUserChallengeQuestion
  • getUserChallengeQuestionIds
  • getUserIdentitySupportedClaims
  • registerUser
  • sendRecoveryNotification
  • updatePassword
  • verifyAccount
  • verifyConfirmationCode
  • verifyUser
  • verifyUserChallengeAnswer
UserProfileMgtService
  • associateID
  • deleteUserProfile
  • getAssociatedIDs
  • getInstance
  • getNameAssociatedWith
  • getProfileFieldsForInternalStore
  • getUserProfile
  • getUserProfiles
  • isAddProfileEnabled
  • isAddProfileEnabledForDomain
  • isReadOnlyUserStore
  • removeAssociateID
  • setUserProfile
XMPPConfigurationService
  • addUserXmppSettings
  • editXmppSettings
  • getUserIM
  • getXmppSettings
  • hasXMPPSettings
  • isXMPPSettingsEnabled
/admin/manage IdentityApplicationManagementService
  • createApplication
  • deleteApplication
  • getAllApplicationBasicInfo
  • getAllIdentityProviders
  • getAllLocalAuthenticators
  • getAllLocalClaimUris
  • getAllRequestPathAuthenticators
  • getApplication
  • getIdentityProvider
  • updateApplication
IdentityProviderMgtService
  • addIdP
  • deleteIdP
  • getAllFederatedAuthenticators
  • getAllLocalClaimUris
  • getAllProvisioningConnectors
  • getEnabledAllIdPs
  • getIdPByName
  • getResidentIdP
  • updateIdP
  • updateResidentIdP
IdentitySAMLSSOConfigService
  • addRPServiceProvider
  • getCertAliasOfPrimaryKeyStore
  • getClaimURIs
  • getServiceProviders
  • removeServiceProvider
IdentitySTSAdminService
  • readCardIssuerConfiguration
  • updateCardIssueConfiguration
OAuth2TokenValidationService
  • findOAuthConsumerIfTokenIsValid
  • validate
OAuthAdminService
  • getAllOAuthApplicationData
  • getAllowedGrantTypes
  • getOAuthApplicationData
  • getOAuthApplicationDataByAppName
  • registerOAuthApplicationData
  • registerOAuthConsumer
  • removeOAuthApplicationData
  • updateConsumerApplication
ws­xacml
  • XACMLAuthzDecisionQuery
/admin/manage/modify/serviceProfilesAdminService
  • getUserProfile
  • putUserProfile
Super tenant level permissions
/protected/configure/componentsProvisioningAdminService
  • getAllInstalledFeatures
  • getInstalledFeatureInfo
  • getInstalledFeaturesWithProperty
  • getLicensingInformation
  • getProfileHistory
  • performProvisioningAction
  • removeAllConsoleFeatures
  • removeAllServerFeatures
  • reviewProvisioningAction
/protected/manage/modify/tenants TenantMgtAdminService
  • activateTenant
  • deactivateTenant
  • deleteTenant
  • updateTenant
/protected/manage/monitor/tenants TenantMgtAdminService
  • addSkeletonTenant
  • addTenant
  • getTenant
  • retrievePaginatedPartialSearchTenants
  • retrievePaginatedTenants
  • retrievePartialSearchTenants
  • retrieveTenants
/protected/tenant­admin RemoteTenantManagerService
  • activateTenant
  • addTenant
  • deactivateTenant
  • deleteTenant
  • getAllTenants
  • getDomain
  • getSuperTenantDomain
  • getTenant
  • getTenantId
  • isTenantActive
  • updateTenant
RemoteUserRealmService
  • getRealmConfiguration
Special cases: These operations require multiple permission levels

/admin/configure/security

/admin/manage/modify/service

DirectoryServerManager
  • addServer
  • changePassword
  • getPasswordConformanceRegularExpression
  • getServiceNameConformanceRegularExpression
  • isExistingServicePrinciple
  • isKDCEnabled
  • listServicePrinciples
  • removeServer
KeyStoreAdminService
  • getKeyStores

/admin/configure/security/rolemgt

/admin/manage/modify/service

UserAdmin
  • getAllRolesNames

/admin/configure/security/usermgt/users

/admin/configure/security/usermgt/passwords

/admin/configure/security/usermgt/profiles

UserAdmin
  • listAllUsers
  • listUsers