Oracle® Application Server 10g Security Guide 10g (9.0.4) Part Number Part No. B10377-01 |
|
This chapter discusses Oracle Application Server support for privilege delegation. It contains the following topics:
In an enterprise environment, you often deploy multiple applications against a shared infrastructure. For instance, you may have both your HR application and your sales application hosted in the same application server. These separate applications have separate administrators, but both depend on the security infrastructure supplied by the Oracle Internet Directory server.
Using the delegation model, a global administrator can delegate to realm administrators the privileges to create and manage the identity management realms for hosted companies. Realm administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.
To delegate the necessary privileges, you assign the user to the appropriate administrative group. For example, suppose that you store data for both enterprise users and the e-mail service in the directory, and need to specify a unique administrator for each set of data. To specify a user as the administrator of enterprise users, you assign that user to, say, the Enterprise User Administrators Group. To specify a user as the administrator of the e-mail services, you assign that user to, say, the E-mail Service Administrators Group.
As Figure 5-1 shows, in an Oracle Application Server environment the directory super user creates:
The realm administrator, in turn, delegates administration of the Oracle Context to specific users by assigning those users to the Oracle Context Administrators Group. Oracle Context Administrators then delegate administration of the Oracle Application Server to one or more users by assigning them to the Oracle Application Server Administrators Group. These administrators install and administer Oracle Application Server components and delegate administration of user and group data to other administrators. The latter can, in turn, delegate others to administer user and group data.
If you are working in an existing Oracle Internet Directory, you must work with the Oracle Internet Directory administrator to ensure that you have the following privileges:
To delegate administrative privileges, the Oracle Internet Directory super user does the following:
This realm administrator, in turn, delegates certain privileges that Oracle components require to the Oracle defined roles--for example, Oracle Application Server administrators. The Oracle components receive these roles when they are deployed.
In addition to delegating privileges to roles specific to Oracle components, the realm administrator can also define roles specific to the deployment--for example, a role for help desk administrators--and grant privileges to those roles. These delegated administrators can, in turn, grant these roles to end users. In fact, because a majority of user management tasks involve self-service--like changing a phone number or specifying application-specific preferences--these privileges can be delegated to end users by both the realm administrator and Oracle component administrators.
In the case of a group, one or more owners--typically end users--can be identified. If they are granted the necessary administrative privileges, then these owners can manage the group by using Oracle Internet Directory Self-Service Console, Oracle Directory Manager, or command-line tools.
This release of Oracle Application Server provides fine-grained control over system administration and management privileges. This allows you to:
The new privilege model supports the following user roles:
Responsible for installing and uninstalling applications. This administrative privilege is distinct from the next privilege, Oracle Application Server Application Administrator.
Responsible for managing the roles and privileges used within an application.
Responsible for managing Oracle Internet Directory and other Identity Management technologies.
Has no responsibilities; runs the application and has only the permissions granted by the application.
Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. For example:
To do this, the Oracle Application Server Single Sign-On server needs permission to compare user passwords. To set up the Oracle Application Server Single Sign-On cookie, it needs permission to read user attributes.
In general, Oracle components can require these privileges:
For a comprehensive discussion of privilege delegation, see the Oracle Internet Directory Administrator's Guide.
See Also:
|
![]() Copyright © 2003 Oracle Corporation. All Rights Reserved. |
|