User With Custom Admin Role That Has Grant + Revoke Role Membership Capabilities Can Not Assign/Remove Any Role (Doc ID 2150206.1)

Last updated on NOVEMBER 07, 2016

Applies to:

Identity Manager - Version 11.1.2.3.4 and later
Information in this document applies to any platform.

Symptoms

A user who has a custom admin role with the following capabilities is unable to add himself to a role over which the user has admin privileges.

Grant Role Memberships
Revoke Role Memberships
Role - Modify
Role - View / Search
User - View / Search
User - View Requests

This issue is noticed when the direct workflow (NO_WORKFLOW) is used instead of request based workflow.

For example, a user "User1" who has been granted a custom admin role called "RoleMembershipAdmin" for the XYZ organization. There is a regular role called "support" which has been published to the organization. When the user tries to add the "support" role to himself (Manage --> Roles --> Select Role --> Add), it fails with the following error:

[2016-05-23T10:23:07.231-04:00] [oim_server1] [ERROR] [] [oracle.iam.identity.rolemgmt.utils] [tid: [...] An exception occurred while granting role support to users [User1]: oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The logged-in user 36001 does not have addRoleMemberships permission on Role support entity.:36001:addRoleMemberships:Role:support

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms