You can modify the permissions assigned to an administrative role. The permissions determine what actions an administrator can perform on users, user groups, security domains, and so on.
Follow these guidelines:
Carefully consider which privileges an administrator assigned to the role really needs. Avoid granting unnecessary privileges.
For an administrator assigned to perform administrative actions on an object, the role must have View permission on the object. For example, to allow an administrative role to reset user passwords, the role must have permission to view user records.
An administrator who assigns administrative roles must have a role that gives permission to assign roles and view user records.
An administrator who assigns users to user groups must have a role that gives permission to assign users to user groups and view user records.
If the scope of the administrative role does not include the top-level security domain, you cannot grant permission to manage the following system-level objects: identity attribute definitions, policies, Console display options, and software token profiles. Only a super admin can manage software token profiles.
You can only assign and add administrative roles that have equal or fewer permissions to your own administrative role. You cannot edit the Super Admin role.
In the Security Console, click Administration > Administrative Roles > Manage Existing.
Click the administrative role that you want to edit, and click Edit.
Specify which permissions you want the administrative role to have.
In the General Permissions tab, under Manage Users, in the User Attribute Restriction field, do the following according to the restrictions that you want to apply to this role:
To allow the administrator to manage attribute categories, select May manage attribute categories.
To allow the administrator to access only specific attributes, select May only access specific attributes. From the Attribute drop-down list, select View, Modify, or None according to the permission that you want to grant the administrator.