<Policy name="ORGID^^RealmAdmin" referralPolicy="false" active="true" >
<Rule name="delegation-rule">
<ServiceName name="sunAMDelegationService" />
<ResourceName name="sms://*ORGSUFFIX/*" />
<AttributeValuePair>
<Attribute name="MODIFY" />
<Value>allow</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="DELEGATE" />
<Value>allow</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="READ" />
<Value>allow</Value>
</AttributeValuePair>
</Rule>
<Subjects name="Subjects" description="">
<Subject name="delegation-subject" type="AMIdentitySubject" includeType="inclusive">
<AttributeValuePair>
<Attribute name="Values"/>
<Value>id=Top-level Admin Role,ou=role,ORGSUFFIX,amsdkdn=cn=Top-level Admin Role,ORGSUFFIX</Value>
</AttributeValuePair>
</Subject>
</Subjects>
</Policy>
<Policy name="ORGID^^PolicyAdmin" referralPolicy="false" active="true" >
<Rule name="delegation-rule">
<ServiceName name="sunAMDelegationService" />
<ResourceName name="sms://*ORGSUFFIX/iPlanetAMPolicy*Service/*" />
<AttributeValuePair>
<Attribute name="MODIFY" />
<Value>allow</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="DELEGATE" />
<Value>allow</Value>
</AttributeValuePair>
<AttributeValuePair>
<Attribute name="READ" />
<Value>allow</Value>
</AttributeValuePair>
</Rule>
<Subjects name="Subjects" description="">
<Subject name="delegation-subject" type="AMIdentitySubject" includeType="inclusive">
<AttributeValuePair>
<Attribute name="Values"/>
<Value>id=Top-level Policy Admin Role,ou=role,ORGSUFFIX,amsdkdn=cn=Top-level Policy Admin Role,ORGSUFFIX</Value>
</AttributeValuePair>
</Subject>
</Subjects>
</Policy>
<Policy name="ORGID^^RealmReadOnly" referralPolicy="false" active="true" >
<Rule name="delegation-rule">
<ServiceName name="sunAMDelegationService" />
<ResourceName name="sms://*ORGSUFFIX/sunAMRealmService/*" />
<AttributeValuePair>
<Attribute name="READ" />
<Value>allow</Value>
</AttributeValuePair>
</Rule>
<Subjects name="Subjects" description="">
<Subject name="delegation-subject" type="AMIdentitySubject" includeType="inclusive">
<AttributeValuePair>
<Attribute name="Values"/>
<Value>id=Top-level Policy Admin Role,ou=role,ORGSUFFIX,amsdkdn=cn=Top-level Policy Admin Role,ORGSUFFIX</Value>
</AttributeValuePair>
</Subject>
</Subjects>
</Policy>
<Policy name="ORGID^^DatastoresReadOnly" referralPolicy="false" active="true" >
<Rule name="delegation-rule">
<ServiceName name="sunAMDelegationService" />
<ResourceName name="sms://*ORGSUFFIX/sunIdentityRepositoryService/*" />
<AttributeValuePair>
<Attribute name="READ" />
<Value>allow</Value>
</AttributeValuePair>
</Rule>
<Subjects name="Subjects" description="">
<Subject name="delegation-subject" type="AMIdentitySubject" includeType="inclusive">
<AttributeValuePair>
<Attribute name="Values"/>
<Value>id=Top-level Policy Admin Role,ou=role,ORGSUFFIX,amsdkdn=cn=Top-level Policy Admin Role,ORGSUFFIX</Value>
</AttributeValuePair>
</Subject>
</Subjects>
</Policy>
<!-- Delegation policy for all authenticated users to use DAI, Admin Console, IdRepo Service -->
<Policy name="AllUserReadableServices" referralPolicy="false" active="true" >
    <Rule name="delegation-rule1">
        <ServiceName name="sunAMDelegationService" />
        <ResourceName name="sms://ROOT_SUFFIX/sunIdentityRepositoryService/1.0/globalConfig/*" />
        <AttributeValuePair>
            <Attribute name="READ" />
            <Value>allow</Value>
        </AttributeValuePair>
    </Rule>
    <Rule name="delegation-rule2">
        <ServiceName name="sunAMDelegationService" />
        <ResourceName name="sms://ROOT_SUFFIX/DAI/1.0/globalConfig/*" />
        <AttributeValuePair>
            <Attribute name="READ" />
            <Value>allow</Value>
        </AttributeValuePair>
    </Rule>
    <Rule name="delegation-rule3">
        <ServiceName name="sunAMDelegationService" />
        <ResourceName name="sms://ROOT_SUFFIX/iPlanetAMAdminConsoleService/1.0/globalConfig/*" />
        <AttributeValuePair>
            <Attribute name="READ" />
            <Value>allow</Value>
        </AttributeValuePair>
    </Rule>
    <Subjects name="Subjects" description="">
        <Subject name="delegation-subject" type="AuthenticatedUsers" includeType="inclusive">
        </Subject>
    </Subjects>
</Policy>
<!-- Delegation policy for users to read their attributes -->
<Policy name="SelfReadAttributes" referralPolicy="false" active="true" >
    <Rule name="user-read-rule">
        <ServiceName name="sunAMDelegationService" />
        <ResourceName name="sms://*ROOT_SUFFIX/sunIdentityRepositoryService/1.0/application/*" />
        <AttributeValuePair>
            <Attribute name="READ" />
            <Value>allow</Value>
        </AttributeValuePair>
    </Rule>
    <Subjects name="Subjects" description="">
        <Subject name="delegation-subject" type="AuthenticatedUsers" includeType="inclusive">
        </Subject>
    </Subjects>
    <Conditions name="AttrCondition" description="">
        <Condition name="condition" type="UserSelfCheckCondition">
            <AttributeValuePair>
                <Attribute name="attributes"/>
                <Value>*</Value>
            </AttributeValuePair>
        </Condition>
    </Conditions>
</Policy>
<!-- Delegation policy for users to write their attributes -->
<Policy name="SelfWriteAttributes" referralPolicy="false" active="true" >
    <Rule name="user-read-rule">
        <ServiceName name="sunAMDelegationService" />
        <ResourceName name="sms://*ROOT_SUFFIX/sunIdentityRepositoryService/1.0/application/*" />
        <AttributeValuePair>
            <Attribute name="MODIFY" />
            <Value>allow</Value>
        </AttributeValuePair>
    </Rule>
    <Subjects name="Subjects" description="">
        <Subject name="delegation-subject" type="AuthenticatedUsers" includeType="inclusive">
        </Subject>
    </Subjects>
    <Conditions name="AttrCondition" description="">
        <Condition name="condition" type="UserSelfCheckCondition">
            <AttributeValuePair>
                <Attribute name="attributes"/>
                <Value>givenname</Value>
                <Value>sn</Value>
                <Value>cn</Value>
                <Value>userpassword</Value>
                <Value>mail</Value>
                <Value>telephonenumber</Value>
                <Value>postaladdress</Value>
		<Value>preferredlocale</Value>
                <Value>iplanet-am-user-password-reset-options</Value>
                <Value>iplanet-am-user-password-reset-question-answer</Value>
                <Value>iplanet-am-user-password-reset-force-reset</Value>
                <Value>description</Value>
                <Value>sunIdentityServerDeviceKeyValue</Value>
                <Value>sunIdentityServerDeviceStatus</Value>
            </AttributeValuePair>
        </Condition>
    </Conditions>
</Policy>
