User With Custom Admin Role That Has Grant + Revoke Role Membership Capabilities Can Not Assign/Remove Any Role
Last updated on NOVEMBER 07, 2016
Applies to:Identity Manager - Version 126.96.36.199.4 and later
Information in this document applies to any platform.
A user who has a custom admin role with the following capabilities is unable to add himself to a role over which the user has admin privileges.
Grant Role Memberships
Revoke Role Memberships
Role - Modify
Role - View / Search
User - View / Search
User - View Requests
This issue is noticed when the direct workflow (NO_WORKFLOW) is used instead of request based workflow.
For example, a user "User1" who has been granted a custom admin role called "RoleMembershipAdmin" for the XYZ organization. There is a regular role called "support" which has been published to the organization. When the user tries to add the "support" role to himself (Manage --> Roles --> Select Role --> Add), it fails with the following error:
[2016-05-23T10:23:07.231-04:00] [oim_server1] [ERROR]  [oracle.iam.identity.rolemgmt.utils] [tid: [...] An exception occurred while granting role support to users [User1]: oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The logged-in user 36001 does not have addRoleMemberships permission on Role support entity.:36001:addRoleMemberships:Role:support
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms