User - Modify capability including implicit capabilities to Revoke and Remove roles

(Doc ID 2318995.1)

Last updated on MARCH 06, 2018

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


In OIM + one off 24442680 or BP including this fix (since OIM if an admin user has a custom admin role with capability User - Modify, the admin user can submit requests to revoke or request roles for the users.

For example user adminuser is a member of the admin role CustomAdminRole that provides capability User - Modify with scope Org1



With the above custom admin role, admin user adminuser  can submit a request to revoke or request a role for user1 with only having capability User - Modify.



This behavior is not correct as capability User - Modify should not implicitly allow us to request or revoke a role.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms