User - Modify capability including implicit capabilities to Revoke and Remove roles

(Doc ID 2318995.1)

Last updated on MARCH 06, 2018

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

In OIM 11.1.2.3.x + one off 24442680 or BP including this fix (since OIM 11.1.2.3.170117) if an admin user has a custom admin role with capability User - Modify, the admin user can submit requests to revoke or request roles for the users.

For example user adminuser is a member of the admin role CustomAdminRole that provides capability User - Modify with scope Org1

 

 

With the above custom admin role, admin user adminuser  can submit a request to revoke or request a role for user1 with only having capability User - Modify.

 

 

This behavior is not correct as capability User - Modify should not implicitly allow us to request or revoke a role.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms