| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
| Oracle® Identity and Access Management Introduction 10g (10.1.4.0.1) Part Number B31291-01 |
|
|
View PDF |
This chapter describes Oracle Delegated Administration Services, a framework consisting of pre-defined, Web-based units for building administrative and self-service consoles. These consoles can be used by delegated administrators and users to perform specified directory operations.
It contains these topics:
|
Note: Oracle Delegated Administration Services is only used for managing information that is stored in Oracle Internet Directory. To manage information that is stored in third-party or heterogeneous directory environments, consider using Oracle Access Manager, which provides a full range of identity administration and security functions. Oracle Access Manager functionality includes Web single sign-on, user self-service and self-registration, sophisticated workflow functionality, reporting and auditing, policy management, dynamic group management, and delegated administration. |
Delegated administration enables you to store all data for users, groups, and services in a central directory, while distributing the administration of that data to various administrators and end users. It does this in a way that respects the various security requirements in your environment.
Suppose, for example, that your enterprise stores all user, group, and services data in a central directory, and requires one administrator for user data, and another for the e-mail service. Or suppose that it requires the administrator of Oracle Financials to fully control user privileges, and the administrator of OracleAS Portal to fully control the Web pages for a specific user or group. Delegated administration as provided by the Oracle Identity Management infrastructure enables all of these administrators with their diverse security requirements to administer the centralized data in a way that is both secure and scalable.
Oracle Delegated Administration Services is a set of pre-defined, Web-based units for performing directory operations on behalf of a user. It frees directory administrators from the more routine directory management tasks by enabling them to delegate specific functions to other administrators and to end users. It provides most of the functionality that directory-enabled applications require, such as creating a user entry, creating a group entry, searching for entries, and changing user passwords.
Features of Oracle Delegated Administration Services include:
As of Oracle Application Server 10g (10.1.4.0.1), you can manage Oracle Directory Integration Platform with Identity Management Grid Control Plug-in, which uses the features of Oracle Enterprise Manager 10g Grid Control.
|
See Also: The "Identity Management Grid Control Plug-in" chapter in Oracle Identity Management Infrastructure Administrator's Guide. |
You can use Oracle Delegated Administration Services to develop your own tools for administering application data in the directory. Alternatively, you can use the Oracle Internet Directory Self-Service Console, a tool based on Delegated Administration Services. This is a self service application that allows administrated access to the applications data managed in the directory. This tool comes ready to use with Oracle Internet Directory.
Applications built by using Oracle Delegated Administration Services enable you to grant a specific level of directory access to each type of user. For example, look at Figure 10-1, which shows the various administrative levels in a hosted environment. This illustration shows a directory information tree, the root of which is the entry for the global administrator. From that node, there are two branches, both extending to subscriber administrator nodes. Under each subscriber administrator node are two nodes, both of which are for end users and groups.
The global administrator, with full privileges for the entire directory, can delegate to realm administrators the privileges to create and manage the realms for hosted companies. These administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.
The following privileges can be delegated with Oracle Delegated Administration Services:
Creation, editing, and deletion of users and groups
Assignment of privileges to users and groups
Management of services and accounts
Configuration of Oracle Delegated Administration Services
Resource management of Oracle Reports and Oracle Application Server Forms Services
When a user logs into an Oracle component, that component may need to obtain information from the directory on the end user's behalf—for example, the password verifier. To do this, the component typically logs into the directory as a proxy user, a feature that enables it to switch its identity to that of the end user.
In a Oracle Delegated Administration Services environment, each component, instead of logging into the directory as a proxy user, logs into the central Oracle Delegated Administration Services. Oracle Delegated Administration Services then logs into the directory as a proxy user, switches its identity to that of the end user, and performs operations on that user's behalf. Centralizing proxy user directory access in this way replaces the less secure strategy of granting proxy user access to every component accessing the directory.
Figure 10-2 shows the proxy user feature in an Oracle Delegated Administration Services environment. End users or delegated administrators log in to a central Oracle Delegated Administration Services. They do this by using the Oracle Internet Directory Self-Service Console, the consoles of other Oracle components such as OracleAS Portal, or those of third-party applications. The Oracle Delegated Administration Services then logs into Oracle Internet Directory as a proxy user.
Oracle Delegated Administration Services is a J2EE application that is deployed on an Oracle Containers for J2EE (OC4J) instance. Oracle Delegated Administration Services performs the following basic tasks:
Receive requests from clients
Process those requests—by either retrieving or updating data in Oracle Internet Directory—and compile the LDAP result into an HTML page
Send the HTML page back to the client Web browser
Figure 10-3 shows the flow of information between components in an Oracle Delegated Administration Services environment.
As Figure 10-3 shows:
The user, from a browser and using HTTP, sends to Oracle Delegated Administration Services a request containing a directory query.
Oracle Delegated Administration Services receives the request and launches the appropriate servlet. This servlet interprets the request, and sends it to Oracle Internet Directory by using LDAP.
Oracle Internet Directory sends the LDAP result to the Oracle Delegated Administration Services servlet.
The Oracle Delegated Administration Services servlet compiles the LDAP result into an HTML page, and sends it to the client Web browser.
