|Oracle® Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition)
11g Release 6 (11.1.6)
Part Number E20839-04
|PDF · Mobi · ePub|
Oracle Authorization Policy Manager is a graphical interface for managing policies and related security objects. This chapter describes a general overview of the product.
Oracle Authorization Policy Manager is the graphical interface for Oracle Entitlements Server, a fine-grained authorization product that allows an organization to protect its resources by defining and managing policies and related security objects. From a high-level, Oracle Entitlements Server comprises centralized policy management with policy decision making. The following sections contain more information.
Oracle Entitlements Server offers fine-grained authorization in which a context for the authorization request is provided and access is granted or denied based on it. Access privileges are defined in an authorization policy by specifying who can do what to which resource, when it can be done, and how. The authorization policy can enforce controls on all types of resources including software components (URLs, Java Server Pages, Enterprise JavaBeans, methods, servlets and the like used to construct an application) and business objects (representations of user accounts, personal profiles and contracts such as bank accounts in a banking application, patient records in a health care application, or anything used to define a business relationship). Additionally, Oracle Entitlements Server:
Distributes policies from the Administration Server to the decision endpoints.
Caches policies and authorization decisions for performance.
Updates security policies at run time.
Offers a flexible architecture that supports both embedded and remote decision points (for centralized or distributed policy decisions).
Separates security decision making from application logic.
Audits all access decisions and management operations.
Supports the eXtensible Access Control Markup Language (XACML) request/response protocol for authorization inquiries.
Integrates with existing security and identity systems by leveraging enterprise data in relational databases and LDAP directories.
The Fusion Applications version of Oracle Entitlements Server is not meant to contain all of the functionality of Oracle Entitlements Server.
Oracle Authorization Policy Manager is the Administration Console for Oracle Entitlements Server. It is a browser-based, graphical interface for managing policies and related security objects. It supports the creation and management of Authorization Policies and Role Mapping Policies. An Authorization Policy defines the rules for accessing a software component or business object. A Role Mapping Policy defines which users are assigned which roles, and may be referenced by an Authorization Policy. Figure 1-1 is a screenshot of the Authorization Policy Manager Administration Console.
Figure 1-1 The Oracle Authorization Policy Manager Graphical Interface
For purposes of this documentation, Authorization Policy Manager and variations of the Oracle Entitlements Server Administration Console (Administration Console, Console and the like) may be used interchangeably.
The following sections contain additional information.
Only users with sufficient privileges can log in to the Oracle Entitlements Server Administration Console or use administrative command-line tools such as the WebLogic Scripting Tool (WLST). An Oracle Entitlements Server system-level Administrator Role named SystemAdmin is created during installation and is mapped to the WebLogic Server administrator user,
weblogic. The password is set during installation.
At first log in to the Oracle Entitlements Server Administration Console, SystemAdmin must use the credentials set during installation. The identifier and password can then be changed by using your identity store's management tool.
SystemAdmin has extensive privileges that includes the rights to create additional Administrative Roles for delegating administrative rights to others. You can than grant users these roles to give them different administrative rights for the Oracle Entitlements Server environment. For more information, see Section 6.6, "Managing System Administrators Using Administrator Roles."
Oracle Entitlements Server administrator and user identities are stored in an identity store, typically an LDAP directory server. Users and External Roles (those defined in the identity store) are read-only. Oracle Entitlements Server reads and displays the data; it does not perform any management operations. Management of the identity data is accomplished using the identity store's tools or an identity management product such as Oracle Identity Manager. Supported identity stores are:
Oracle Internet Directory
Oracle Virtual Directory
Sun Java System Directory Service version 6.3
Active Directory 2003, 2008
Novell eDirectory 8.8
OpenLDAP 2.2. For the special configuration required for this type, see Appendix A, "Using an OpenLDAP Identity Store."
Tivoli Directory Server
For information about Oracle Fusion Middleware Certification and Supported Configurations, visit
For this release of Oracle Entitlements Server, the policy store used to maintain policy objects and defined policies can be a relational database (preferred) or an LDAP-based directory. (Oracle Internet Directory can be used as the policy store but has limited capabilities.) For links regarding hardware requirements, see Section 1.2.1, "Before You Begin." Instructions for creating and initializing the policy store can be found in Oracle Fusion Middleware Installation Guide for Oracle Identity Management. Before using Authorization Policy Manager, make sure that the policy store has been reassociated to one of the supported repositories. For details on reassociating the domain policy store, see Oracle Fusion Middleware Application Security Guide.
Figure 1-2 illustrates how a security administrator accesses Authorization Policy Manager, and how the tool communicates with the Oracle WebLogic server domain's policy and identity stores. Note that Authorization Policy Manager can access policies (and identities) shared by different domains. Authorization Policy Manager uses the Oracle Entitlements Server Management API to access the policy store and Oracle Identity Governance Framework API to access the identity store.
Figure 1-2 Authorization Policy Manager Deployed in a WebLogic Domain
Before getting started using Oracle Entitlements Server, the following tasks must be done. They include installing the product and its components (for example, remote Security Modules), and configuring features like high availability and Secure Sockets Layer (SSL), if applicable. The following sections contain links to other documentation regarding the topics.
Two particular data sources must be set using WebLogic Server before beginning the installation process. They are APMDBDS and mds-ApplicationMDSDB. The first data source can be configured with the WebLogic Console by navigating to JDBC > Data Sources. Table 1-1 describes the characteristics of these data sources.
|Data Source Name||JNDI Name||Description|
Stores MDS-related documents used by the application.
Required to use the 3-way-diff patch method.
Additionally, applications whose policies are managed with Authorization Policy Manager are assumed to use Oracle Platform Security Services for authorization. For details about integrating an application with these services, see Oracle Fusion Middleware Application Security Guide.
Authorization Policy Manager is installed with Oracle Entitlements Server. Before getting started, install Oracle Entitlements Server and its components (for example, remote Security Modules), if applicable. For details about installation, see Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
For this release, the policy store managed by Oracle Entitlements Server can be a relational database (preferred) or an LDAP-based directory.
The identity store associated with Oracle Entitlements Server must be an LDAP-based directory.
When Authorization Policy Manager is installed for Oracle Fusion Applications, it is configured to allow for basic authorization. Basic authorization is based on the permissions policy model in which permissions are granted to users, groups, and code sources. For users and groups, the permissions determine what a user or a group member is allowed to access. For code sources, they determine what actions the code is allowed to perform. Advanced authorization allows for the use of more fine-grained policy objects including Role Mapping Policies and hierarchical resources.
Use the following procedure to reconfigure Authorization Policy Manager for advanced authorization. It assumes WebLogic Server is installed and the Fusion Middleware home directory is available.
Change to the Fusion Middleware home directory at
Connect to the WebLogic Server using the
The command takes the following arguments: user name (weblogic), password associated with the user (weblogic1) and the T3 connection URL for the Administration Server. In this example, it is running locally on port 7101.
Export the Authorization Policy Manager configuration file using the
exportMetadata(application='oracle.security.apm', server='AdminServer', toLocation='/tmp/repository/', docs='/oracle/security/apm/config/apm-config.xml')
This command will export the
apm-config.xml configuration file to the
/tmp/repository sub-directory on the machine that hosts the Administration Server. The command takes the following arguments:
The application owner of the document being exported; in this case, the default value is
The name of the WebLogic Server Administration Server.
The directory to which
apm-config.xml will be exported. Be sure you have access rights to this directory.
The document being exported; in this example,
oracle/security/apm/config/apm-config.xml will be exported, so please make sure you have access right to that file path in the AdminServer machine once you downloaded the documents
apm-config.xml configuration file in a text editor.
The file is in the
/tmp/repository directory as previously specified.
Change the value of the
oracle.security.apm.oes.mode attribute in this file from basic to advanced.
Save the changes and close the file.
Upload the modified file back to the repository.
importMetadata(application='oracle.security.apm', server='AdminServer', fromLocation='/tmp/repository/', docs='/oracle/security/apm/config/apm-config.xml')
This command will import the
apm-config.xml configuration file back to the machine that hosts the Administration Server. The command takes the following arguments:
The application owner of the document being imported; in this case, the default value is
The name of the WebLogic Server Administration Server.
The directory from which
apm-config.xml will be imported.
The document being imported; in this example,
apm-config.xml will be imported to the oracle/security/apm/config/ directory.
Issue the exit command.
After installation, the Oracle Entitlements Server identity store is associated with the WebLogic Server embedded LDAP directory. While this embedded LDAP directory is fine for development purposes, a supported LDAP directory must be used in production. The following procedure reconfigures the default identity store settings. More specific information on configuring LDAP authentication providers can be found in the Oracle Fusion Middleware Securing Oracle WebLogic Server.
Launch the WebLogic Server console.
Click Security Realms.
Click the settings for myrealm.
Click the Provider tab.
Click the Authentication tab as displayed in Figure 1-3.
Figure 1-3 The Authentication Provider Tab
Click the New button to create a new provider.
Enter a name and select the type of LDAP-based directory.
For example, OracleInternetDirectoryAuthenticator.
Configure the provider-specific attributes of the LDAP-based directory.
This might include the host name and port, credentials, group search base, user search base and the like.
Save the provider information.
Change the order of the providers so that the LDAP-based directory is first.
DefaultAuthenticator and DefaultIdentityAsserter will follow.
Click the new provider name to configure it.
Click the Configuration tab.
Click the Common tab.
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 1-4.
Figure 1-4 SUFFICIENT Control Flag
Click the Provider Specific tab.
Enter the LDAP configuration information for your identity store and click Save.
Return to the Providers tab.
Click DefaultAuthenticator to change its configuration.
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 1-5.
Figure 1-5 DefaultAuthenticator Tab in WebLogic Server Console
Restart WebLogic Server.
For details about high availability for Authorization Policy Manager, see Oracle Fusion Middleware High Availability Guide.
The connections that Authorization Policy Manager establishes with the policy store, the identity store, and the database can be secured through one-way Secure Sockets Layer (SSL). The access to Authorization Policy Manager via a browser can also be secured through one-way SSL. These settings are similar to those of any other application running in the Oracle WebLogic server.
For information about configuring one-way SSL for connections with the policy store, the identity store, and the database, see Oracle Fusion Middleware Securing Oracle WebLogic Server. Access to Oracle Entitlements Server using a browser can also be secured through one-way SSL. These settings are similar to those of any other application running in the Oracle WebLogic Server.
For details about configuring SSL in Oracle Fusion Middleware applications when OHS is not being used, see chapter 12 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
For details about configuring SSL in Oracle Fusion Middleware applications when OHS is being used, see chapter 6 in Oracle Fusion Middleware Administrator's Guide.
Setting the loggers and a log level for Authorization Policy Manager is similar to setting them for any other application running in the Oracle WebLogic server. For details, see Oracle Fusion Middleware Application Security Guide.
Authorization Policy Manager determines the language in which text is displayed from the locale setting of the browser. When your browser locale is set to one of the above supported administrator languages, the Authorization Policy Manager text is displayed in that language.
The following sections contain information on how to access the Authorization Policy Manager graphical interface (also referred to as the Administration Console).
Follow this procedure to sign in to the Authorization Policy Manager Administration Console.
Enter the Authorization Policy Manager Administration Console URL in the address bar of your browser. For example:
HTTPS represents the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL) enabled to encrypt and decrypt user page requests and the pages returned by the Web server.
hostname refers to the fully qualified domain name of the computer hosting the Oracle Authorization Policy Manager Administration Console.
port refers to the designated bind port for the Authorization Policy Manager Administration Console. (This is the same as the bind port for the WebLogic Server Administration Console.)
/apm/ refers to the Authorization Policy Manager Log In page
Enter the System Administrator credentials.
The default system administrator identifier is
weblogic. The password is the same one supplied during installation. Figure 1-6 is a screenshot of the Sign In page.
Figure 1-6 Administration Console Sign In Page
Click Sign In.
Follow this procedure to sign out of the Authorization Policy Manager Administration Console.
Click the Sign Out link located in the upper right corner of the Administration Console.
Figure 1-7 is a screenshot of the Sign Out link.
Figure 1-7 Administration Console Sign Out Link
Close the browser window.
After a successful log in, the Authorization Policy Manager Administration Console is displayed with the Authorization Management Tab active. The Navigation Panel is on the left side and the Home area on the right side. Objects selected in the Navigation Panel are opened in tabs and displayed in the Home area. Figure 1-1 is a screenshot of the Administration Console after an administrative user has successfully signed in. The following sections contain descriptions of the top-level items displayed.
See the following sections for information on the organizational tabs used in the Administration Console. Each tabbed section is comprised of a Navigation Panel and Home area.
The Authorization Management tab is used to search and manage policy objects. This tab is active upon successful log in to the Administration Console. Figure 1-8 is a screenshot of the Authorization Management tab.
Figure 1-8 Authorization Management Tab
Under Authorization Management, the left side is the Navigation Panel and the right side is Home. The Home display changes based on what is selected from the Navigation Panel. For more information, see Section 1.4.2, "Using The Navigation Panel" and Section 1.4.3, "Understanding the Home Area."
The System Configuration tab is used to manage administrative and system type objects for the Oracle Entitlements Server deployment. Figure 1-9 is a screenshot of an active System Configuration tab. The object selected in the Navigation Panel is displayed using tabs in the Home area.
Figure 1-9 System Configuration Tab
The following tasks are performed under System Configuration:
Creating Security Modules
Binding Security Modules to applications
Managing system administrators (for example, creating additional system administrator roles, assigning users to system administrator roles, and assigning rights to system administrator roles)
For more information, see Chapter 12, "Managing System Configurations."
The Navigation Panel is used to find security objects by browsing the Global or Applications information trees, or by conducting a simple search. It lists all Global and Application policy objects in a navigable tree. You can browse the tree or display objects as Search Results based on defined search criteria. Figure 1-1 is a screenshot that displays the Navigation Panel with its nodes collapsed. Figure 1-10 displays the Navigation Panel with its nodes expanded and many policy objects in view.
Figure 1-10 Navigation Panel Browse Tab with Nodes Expanded
The Navigation Panel contains, from top to bottom, the following elements:
A pull-down list to select the policy object for a simple search. For more information, see Section 4.2, "Finding Objects with a Simple Search."
A pull-down list to select the scope of a simple search. For more information, see Section 4.2, "Finding Objects with a Simple Search."
A text box to enter the simple search string. The string is compared against both the Name and Display Name of policy objects; those that match are displayed in the Search Results tab.
The Browse tab displays the following expandable and collapsible nodes:
The Global node collects global objects such as external roles.
The Applications node contains one or more Applications being managed by the administrator that is logged in. (Only Applications which the logged in user is authorized to access are displayed.) From any of those displayed, the administrator can access application-specific policy objects such as resource types, entitlements, resources, policies, and roles. For more information, see Chapter 12, "Managing System Configurations."
The Search Results tab displays the results of the last simple search as seen in Figure 1-11.
Actions and View drop downs to select operations on the chosen policy object.
Figure 1-11 Navigation Panel Search Tab
From the Navigation Panel, there are two methods for displaying the New and Open options comprised in the Actions drop-down list.
Locate the desired application, expand the node, and select the desired object. Click the Actions drop-down and select New.
Locate the desired application, expand the node, and select the desired object. Right-click the object from the application node.
Select New to create a new object of the same type and select Open to display a search tab in the Home area. Double-clicking an object from the node also opens a Search tab in the Home area.
The Home area displays on the right side of the Navigation Panel and contains quick access links to New and Search screens for the most commonly used policy objects. As displayed in Figure 1-12, the Home area of the Administration Console is divided into the following sections.
The Application area is the upper region of the Home area. The Application Name pane displays all applications available to the logged in user. To the right of this pane are links to screens for performing common operations such as creating new policy objects (entitlements, resources, resource types, application roles, and authorization policies) or searching defined policy objects.
The Global section is the lower right region of the Home area. This section is for objects shared across all applications and includes external role search.
The Entitlements Resource Center section is the lower left region of the Home area. It contains links to information regarding the most commonly used procedures.
Figure 1-12 The Home Area
To get more information while using the Administration Console, click the Help link located in the upper right corner (as seen in Figure 1-1). A separate window opens. From this window you can access both the online help and an embedded version of this book in HTML. After the window displays, select either Administration Console Online Help or Authorization Policy Manager Administrator's Guide from the drop-down Book list. The help topics link to the corresponding section of the embedded book as do the links in the Help's Table of Contents.