The composite built-in roles and their functions are:
GH_SA: The Oracle Grid Infrastructure user on a Rapid Home Provisioning Server automatically inherits this role.
The GH_SA role includes the following basic built-in roles: GH_ROLE_ADMIN, GH_SITE_ADMIN, GH_SERIES_ADMIN, GH_SERIES_CONTRIB, GH_WC_ADMIN, GH_IMG_ADMIN, GH_IMG_TESTABLE, GH_IMG_RESTRICT, GH_IMG_PUBLISH, and GH_IMG_VISIBILITY.
GH_CA: The Oracle Grid Infrastructure user on a Rapid Home Provisioning Client automatically inherits this role.
The GH_CA role includes the following basic built-in roles: GH_SERIES_ADMIN, GH_SERIES_CONTRIB, GH_WC_ADMIN, GH_IMG_ADMIN, GH_IMG_TESTABLE, GH_IMG_RESTRICT, GH_IMG_PUBLISH, and GH_IMG_VISIBILITY.
GH_OPER: This role includes the following built-in roles: GH_WC_OPER, GH_SERIES_ADMIN, GH_IMG_TESTABLE, GH_IMG_RESTRICT, and GH_IMG_USER. Users assigned this role have limited access and cannot delete images.
Consider a gold image called G1 that is available on the Rapid Home Provisioning Server with the GH_WC_USER user role. This role allows users read-only permission on G1.
Further consider that a user, U1, on a Rapid Home Provisioning Client, Cl1, has the GH_WC_USER role. If U1 requests to provision an Oracle home based on the gold image G1, then U1 can do so, because of the permissions granted by the GH_WC_USER role, which is also assigned to G1. If U1 requests to delete G1, however, then that request would be denied because the GH_WC_USER role does not have the necessary permissions.
The Rapid Home Provisioning Server can associate user-role mappings to the Rapid Home Provisioning Client. After the Rapid Home Provisioning Server delegates user-role mappings, the Rapid Home Provisioning Client can then modify user-role mappings on the Rapid Home Provisioning Server for all users that belong to the Rapid Home Provisioning Client. This is implied by the fact that only the Rapid Home Provisioning Server qualifies user IDs from a Rapid Home Provisioning Client site with the client cluster name of that site. Thus, the Rapid Home Provisioning Client CL1 will not be able to update user mappings of a user on CL2, where CL2 is the cluster name of a different Rapid Home Provisioning Client.