This content has been marked as final. Show 9 replies
I guess you can try something like:
Create a Parent Role let's say Container Role and then you can create child role Role1, Role2 and Role3.
In your authorization policy, you can assign Container Role instead of child role.
I did this, and add the parent-role in my autorization policy.
If i want to assign a role, only the parent role will be display. I cannot see the child roles.
that's true. What's the requirement, do you need to see child roles too?
Yes, i must see every child role.
Or is it possible, to create a policy to search/assign for all roles except SYS ADMIN (black listing).
I want to restrict, that someone can assign SYS ADMIN right to him self.
Edited by: 960944 on Apr 9, 2013 5:34 AM
Yes, you can do that using authorization policy.
Create a Role called 'X'
Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
Under Assignemnt: Add Role 'X'
Save and apply to test it.
You can have a look at the default Role Management All Users Policy for reference.
I know, but the problem is, if a new role will be created by another user, this role isn't in the authorization policy.
I have two administrators, which assign specified roles to users (except SYS ADM)
If i create a authorization policy and add all roles i need to data constraint, there is no problem.
But if UserA creates a new role. UserA can see and assign this role, but not UserB, because the new role isn't in the authorization policy, although both users have the same permissions.
I know and even I am having the same issue. If you want to dynamically update the authz policy with role, you can create a eventhandler which will be triggered whenever you create a role of specific category/ belonging to specific owner and update your authorization policy. For authorization policy, try using PolicyDefinitionService class.
Having said that, I found a note from oracle:
Please don't use the Authz APIs as currently updating authorization policies via apis is not supported.