Oracle® Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition) 11g Release 1 (11.1.1.5.0) Part Number E20839-01 |
|
|
View PDF |
Oracle Authorization Policy Manager is graphical interface tool to manage application authorization policies. This chapter describes the basic functionality of this tool in the following sections:
The intended users of Oracle Authorization Policy Manager are security administrators.
Oracle Authorization Policy Manager requires that:
The domain policy store be LDAP- or DB-based; the only supported LDAP policy store type is Oracle Internet Directory; the only supported DB policy store type is Oracle RDBMS. Before using Oracle Authorization Policy Manager, make sure that the policy store has been reassociated to any of the supported repositories. For details on reassociating the domain policy store, see Oracle Fusion Middleware Application Security Guide.
The domain identity store be LDAP-based; supported identity store types are:
Oracle Internet Directory
Oracle Virtual Directory
WebLogic EmbeddedLDAP
Sun Java System Directory Service version 6.3
Active Directory 2003, 2008
Novell eDirectory 8.8
OpenLDAP 2.2. For the special configuration required for this type, see Appendix A, "Using an OpenLDAP Identity Store."
Tivoli Directory Server
For information about Oracle Fusion Middleware Certification and Supported Configurations, visit http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html
.
Two particular data sources be set: mds-ApplicationMDSDB and APMDBDS. The first data source can be configured with the WebLogic Console by navigating to JDBC > Data Sources. Table 1-1 describes the characteristics of these data sources.
Applications whose policies are managed with Oracle Authorization Policy Manager are assumed to use Oracle Platform Security Services for authorization. For details about integrating an application with these services, see Oracle Fusion Middleware Application Security Guide.
For additional data source requirements when using Data Role Templates, see Chapter 10, "Prerequisites for Using Templates."
A security administrator can use WLST commands or Fusion Middleware Control to manage application policies. On the one hand, using WLST command requires manually running commands; on the other hand, even though Fusion Middleware Control offers a graphical user interface, it is a rather complex tool that requires that the administrator work with low-level security artifacts and know names and concepts familiar to, typically, only developers (such as permission class names or task-flow names, for example).
Oracle Authorization Policy Manager greatly simplifies the creation, configuration, and administration of application policies over those two other tools by offering:
User-friendly names and descriptions of security artifacts; for details, see Chapter 2, "The OPSS Authorization Model."
A way to organize application roles by business, product, or any other parameter specific to an application; for details, see Section 2.3.5, "Role Categories."
A uniform graphic interface to search, create, browse, and edit security artifacts; for details, see Chapter 4, "Querying Security Artifacts," and Chapter 5, "Managing Security Artifacts."
A way to specify a subset of applications that a role can manage; for details, see Chapter 6, "Delegated Administration."
The ability to generate external roles and data security grants automatically from a template; for details, see Chapter 10, "Oracle Fusion Applications Data Role Templates."
Figure 1-1 illustrates how a security administrator accesses Oracle Authorization Policy Manager, and how the tool communicates with the domain policy and identity stores within the context of Oracle WebLogic server.
That figure also illustrates the fact that Oracle Authorization Policy Manager can access policies (and identities) shared by different domains. Oracle Authorization Policy Manager uses OPSS management APIs to access the policy store and IGF APIs to access the identity store.
Oracle Authorization Policy Manager does not support the management of users and external roles; these artifacts can only be viewed with the tool. Their provision and management is typically accomplished using Oracle Identity Manager. Changes to the identity store are immediately visible in Oracle Authorization Policy Manager.
This section provides links to other documentation that describe the following topics:
For details about installing Oracle Authorization Policy Manager, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
For details about high availability for Oracle Authorization Policy Manager, see Oracle Fusion Middleware High Availability Guide.
The connections that Oracle Authorization Policy Manager establishes with the policy store, the identity store, and the database can be secured through one-way SSL. The access to Oracle Authorization Policy Manager via a browser can also be secured through one-way SSL. These settings are similar to those of any other application running in the Oracle WebLogic server.
For details about configuring SSL in Oracle Fusion Middleware applications when OHS is not being used, see chapter 12 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
For details about configuring SSL in Oracle Fusion Middleware applications when OHS is being used, see chapter 6 in Oracle Fusion Middleware Administrator's Guide.
Setting the loggers and a log level for Oracle Authorization Policy Manager is similar to setting them for any other application running in the Oracle WebLogic server. For details, see Oracle Fusion Middleware Application Security Guide.