My Oracle Support Banner

User With Custom Admin Role That Has Grant + Revoke Role Membership Capabilities Can Not Assign/Remove Any Role (Doc ID 2150206.1)

Last updated on APRIL 08, 2018

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


A user who has a custom admin role with the following capabilities is unable to add himself to a role over which the user has admin privileges.

Grant Role Memberships
Revoke Role Memberships
Role - Modify
Role - View / Search
User - View / Search
User - View Requests

This issue is noticed when the direct workflow (NO_WORKFLOW) is used instead of request based workflow.

For example, a user "User1" who has been granted a custom admin role called "RoleMembershipAdmin" for the XYZ organization. There is a regular role called "support" which has been published to the organization. When the user tries to add the "support" role to himself (Manage --> Roles --> Select Role --> Add), it fails with the following error:

[2016-05-23T10:23:07.231-04:00] [oim_server1] [ERROR] [] [oracle.iam.identity.rolemgmt.utils] [tid: [...] An exception occurred while granting role support to users [User1]: oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The logged-in user 36001 does not have addRoleMemberships permission on Role support entity.:36001:addRoleMemberships:Role:support


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.