User - Modify Capability Allowing One to Submit Grant Or Remove Roles Request From Another User (Doc ID 2318995.1)

Last updated on APRIL 27, 2023

Applies to:

Identity Manager - Version 11.1.2.3.0 to 11.1.2.3.171017 [Release 11g]
Information in this document applies to any platform.

Symptoms

In OIM 11.1.2.3.x + one off patch for <Bug 24442680> or on a Bundle patch which includes this <Bug 24442680> fix such as OIM 11.1.2.3.170117, if an admin user has a custom admin role with capability User - Modify, the admin user can submit requests to revoke or request roles for the users.

For example a user: <USERID> is a member of the admin role CustomAdminRole that provides capability User - Modify with scope a OIM organization: <ORG>

With the above custom admin role, user can submit a request to revoke or request a role for another user: <END_USER> with only having capability User - Modify.

Why is capability User - Modify allowing the user to create a request to grant or revoke a role for another user?

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

User - Modify Capability Allowing One to Submit Grant Or Remove Roles Request From Another User (Doc ID 2318995.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!