Oracle Waveset 8.1.1 Business Administrator's Guide

Waveset Objects

A clear picture of Waveset objects and how they interact is crucial to successful management and deployment of the system. These objects are:


Note –

When naming Waveset objects, do not use the following characters:

(apostrophe), .. (period), |(pipe), [ (left bracket), ] (right bracket), , (comma), : (colon), $ (dollar sign), " (double quote), \ (backslash), or = (equals sign).

The following characters should also be avoided: _ (underscore), % (percent-sign), ^ (caret), and * (asterisk).


Waveset User Accounts

A user is anyone who holds an Waveset system account. Waveset stores a range of data for each user. Collectively, this information forms a user’s Waveset identity.

Oracle Waveset user accounts:

The user account setup process is dynamic. Depending on the role selection you make during account setup, you may provide more or less resource-specific information to create the account. The number and type of resources associated with the assigned role determine how much information is required at account creation.

Administrators are users with additional privileges to manage user accounts, resources, and other Oracle Waveset system objects and tasks. Oracle Waveset administrators manage organizations, and are assigned a range of capabilities to apply to objects in each managed organization.

For more information on user accounts, see Chapter 3, User and Account Management. For more information on administrator accounts, see Chapter 6, Administration.

Waveset Roles

A role is an Oracle Waveset object that allows resource access rights to be grouped and efficiently assigned to users. Roles are organized into four role types:

Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Typically, Business Roles represent user job functions.

IT Roles, Applications, and Assets organize resource entitlements (or access rights) into groups. To provide users with access to resources, IT Roles, Applications, and Assets are assigned to Business Roles so that users can access the resources they need to do their jobs.

IT Roles, Applications, and Assets can be required, conditional, or optional.

Because roles can be conditional or optional, users with the same general job description can have the same Business Role, but still have different access rights. This approach allows a Business Role designer to define coarse-grained access to roles in order to achieve regulatory compliance, while still allowing flexibility for the user’s manager to fine-tune the user’s access rights. With this approach, there is no need to define a new Business Role for each permutation of access needs in the enterprise, which is a problem known as role explosion.

A user can be assigned one or more roles, or no role.


Note –

For more information about roles, see Understanding and Managing Roles.


Resources and Resource Groups

Waveset stores information about how to connect to a resource or system. Resources to which Waveset provides access include:

Each Waveset resource stores the following kinds of information:

There are two ways to assign resources to users. A resource can be assigned to a user directly (this is known as a individual or direct assignment), or a resource can be assigned to a role, which is then assigned to a user (this is a role-based or indirect assignment).

A related Waveset object, a resource group, can be assigned to user accounts in the same way resources are assigned. Resource groups correlate resources so that you can create accounts on resources in a specific order. Also, they simplify the process of assigning multiple resources to user accounts.

For more information about resource groups, see Resource Groups.

Organizations and Virtual Organizations

Organizations are Waveset containers used to enable administrative delegation. They define the scope of entities that an Waveset administrator controls or manages.

Organizations can also represent direct links into directory-based resources. These are called virtual organizations. Virtual organizations allow direct management of resource data without loading information into the Waveset repository. By mirroring an existing directory structure and membership through a virtual organization, Waveset eliminates duplicate and time-consuming setup tasks.

Organizations that contain other organizations are parent organizations. You can create organizations in a flat structure or arrange them in a hierarchy. The hierarchy can represent departments, geographical areas, or other logical divisions by which you manage user accounts.

For more information on organizations, see Understanding Waveset Organizations.

Directory Junctions

A directory junction is a hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. A directory resource is one that employs a hierarchical namespace through the use of hierarchical containers. Examples of directory resources include LDAP servers and Windows Active Directory resources.

Each organization in a directory junction is a virtual organization. The topmost virtual organization in a directory junction is a mirror of the container representing the base context defined in the resource. The remaining virtual organizations in a directory junction are direct or indirect children of the top virtual organization, and also mirror one of the directory resource containers that are children of the defined resource’s base context container.

You can make Waveset users members of, and available to, a virtual organization in the same way as an organization.

For more information on directory junctions, see Understanding Directory Junctions and Virtual Organizations.

Waveset Capabilities

Each user can be assigned capabilities, or groups of rights, to enable him to perform administrative actions through Oracle Waveset. Capabilities allow the administrative user to perform certain tasks in the system and act on Oracle Waveset objects.

Typically, you assign capabilities according to specific job responsibilities, such as password resets or account approvals. By assigning capabilities and rights to individual users, you create a hierarchical administrative structure that provides targeted access and privileges without compromising data protection.

Oracle Waveset provides a set of default capabilities for common administrative functions. Capabilities meeting your specific needs can also be created and assigned.

For more information on capabilities, see Understanding and Managing Capabilities.

Admin Roles

Oracle Waveset admin roles enable you to define a unique set of capabilities for each set of organizations that are managed by an administrative user. An admin role is assigned capabilities and controlled organizations, which can then be assigned to an administrative user.

Capabilities and controlled organizations can be assigned directly to an admin role. They also can be assigned indirectly (dynamically) each time the administrative user logs in to Oracle Waveset. Oracle Waveset rules control dynamic assignment.

For more information on admin roles, see Understanding and Managing Admin Roles.

Waveset Policies

Policies set limitations for Waveset users by establishing constraints for account ID, login, and password characteristics. Identity system account policies establish user, password, and authentication policy options and constraints. Resource password and account ID policies set length rules, character type rules, and allowed words and attribute values. A dictionary policy enables Identity Auditor to check passwords against a word database to ensure protection from simple dictionary attacks.

For more information about policies, see What are Policies?.

Audit Policies

Distinct from other system policies, an audit policy defines a policy violation for a group of users of a specific resource. Audit policies establish one or more rules by which users are evaluated for compliance violations. These rules depend on conditions based on one or more attributes defined by a resource. When the system scans a user, it uses the criteria defined in the audit policies assigned to that user to determine whether compliance violations have occurred.

For more information about audit policies, see About Audit Policies.

Object Relationships

The following table provides a quick overview of Waveset objects and their relationships.

Table 1–1 Waveset Object Relationships

Waveset Object 

What Is It? 

Where Does It Fit? 

User account 

An account on Waveset and on one or more resources. User data may be loaded into Waveset from resources. 

A special class of users, Waveset administrators, have extended privileges 

Role. Generally, each user account is assigned one or more roles.

Organization. User accounts are arranged in a hierarchy as part of an organization. Waveset administrators additionally manage organizations.

Resource. Individual resources can be assigned to user accounts.

Capability. Administrators are assigned capabilities for the organizations they manage.

Role 

Business Roles organize into groups the access rights that people who do similar tasks in an organization need to do their job duties. Application, and IT Roles group resources into groups so that resources can be assigned to users by way of Business Roles. Role-based resource assignments simplify resource management in large organizations. 

Resource and resource group. Resources and resource groups are assigned to Asset, Application, and IT Roles.

User account. User accounts with similar characteristics are assigned to Business Roles.

Asset, Application, and IT Roles, Asset, Application, and IT Roles are assigned to Business Roles.

Resource 

Stores information about a system, application, or other resource on which accounts are managed. 

Role. Resources are assigned to Application and IT Roles, which are in turn assigned to Business Roles. A user account loosely “inherits” resource access from its Business Role assignments.

User account. Resources can be individually assigned to user accounts.

Resource Group 

Ordered group of resources. 

Role. Resource groups are assigned to roles; a user account “inherits” resource access from its Business Role assignments.

User account. Resource groups can be directly assigned to user accounts.

Organization 

Defines the scope of entities managed by an administrator; hierarchical. 

Resource. Administrators in a given organization may have access to some or all resources.

Administrator. Organizations are managed (controlled) by users with administrative privileges. Administrators may manage one or more organizations. Administrative privileges in a given organization cascade to its child organizations.

User account. Each user account can be assigned to an Waveset organization and one or more directory organizations.

Directory junction 

Hierarchically related set of organizations that mirrors a directory resource’s actual set of hierarchical containers. 

Organization. Each organization in a directory junction is a virtual organization.

Admin role 

Defines a unique set of capabilities for each set of organizations assigned to an administrator. 

Administrator. Admin roles are assigned to administrators.

Capabilities and organizations. Capabilities and organizations are assigned, directly or indirectly (dynamically) to admin roles.

Capability 

Defines a group of system rights. 

Administrator. Capabilities are assigned to administrators.

Policy 

Sets password and authentication limits. 

User account. Policies are assigned to user accounts.

Organization. Policies are assigned to or inherited by organizations.

Audit policy 

Sets rules by which users are evaluated for compliance violations. 

User account. Audit policies are assigned to user accounts.

Organization. Audit policies are assigned to organizations.