Admin User Unable to Add Himself to Role (Doc ID 2167488.1)

Last updated on NOVEMBER 02, 2016

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

User manager001 belongs to an admin role AdminRole001 with capabilities:

. Grant Role Memberships

. Revoke Role Memberships

. Role Modify

. Role View/Search

The user is able to add users to the role but he/she is unable to add himself to the role.

If he/she tries to add himself to the role the following exception is thrown:

[2016-05-25T13:18:51.731-06:00] [WLS_OIM1] [ERROR] [] [oracle.iam.identity.rolemgmt.utils] [tid: [ACTIVE].ExecuteThread: '7' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: manager001] [ecid:1de68f20db7a8430:-7895ee13:154e88e204f:-8000-0000000000000c97,0]
[APP: oim#11.1.2.0.0] [DSID: 0000LJdMDkO5Mef_TX0Fyc1NHSOh00000Z] The operation on Role entity failed in the post-processing stage.[[oracle.iam.platform.kernel.ValidationFailedException: IAM-3056217:Role was updated successfully, but not all memberships were updated: An exception occurred while granting role AdminRole001 to users [manager001]:
oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The logged-in user 7 does not have addRoleMemberships permission on Role AdminRole001 entity.:7:addRoleMemberships:Role:AdminRole001 :
An exception occurred while granting role AdminRole001 to users [manager001]: oracle.iam.identity.exception.AccessDeniedException:
IAM-3054101:The logged-in user 7 does not have addRoleMemberships permission on Role AdminRole001 entity.:7:addRoleMemberships:Role:AdminRole001
at oracle.iam.identity.utils.Utils.createValidationFailedException(Utils.java:1091)
at oracle.iam.identity.utils.Utils.createValidationFailedException(Utils.java:1074)
at oracle.iam.identity.rolemgmt.utils.RoleManagerUtils.createValidationFailedException(RoleManagerUtils.java:3245)
at oracle.iam.identity.rolemgmt.utils.RoleManagerUtils.createValidationFailedException(RoleManagerUtils.java:3259)
at oracle.iam.identity.rolemgmt.impl.handlers.role.RolePostProcessActionHandler.execute(RolePostProcessActionHandler.java:319)
at oracle.iam.platform.kernel.impl.OIMEvent.executeHandlers(OIMEvent.java:224)

 Note: capabilities Grant Role Memberships and Revoke Role Memberships are provided by fix 22664253

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms