Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Oracle Directory Provisioning Integration Service, 4 of 5
This section describes the principal entities in the provisioning integration process and the privileges they need to complete various operations. It contains these topics:
There are important reasons to control access to the provisioning profiles of applications:
The access that you grant to entities to operate on profiles depends on the delegation needs of the applications. Entities that need controlled access to the provisioning profiles are:
cn=odisgroup,cn=odi,cn=oracle internet directory
cn=Provisioning Admins, cn=Provisioning Profiles...
orclGUID
attribute is orclODIPProvisioningAppGUID
)
Applications do not automatically have the rights to create provisioning profiles. Rather, only an LDAP identity with privileges to administer provisioning profiles can create them.
Provisioning administrators are modeled as a group and can perform any operation on the provisioning profiles. All other identities have lesser privileges.
Table 34-1 shows the entry-level privileges granted to each entity.
Provisioning profiles contain security-sensitive attributes that need protection from unauthorized access. Table 34-2 describes them.
Table 34-3 describes the access control for the secure attributes for the main entities operating on the provisioning profiles.
Table 34-4 shows the access control for all other attributes in the provisioning profiles.
Unlike secure attributes, the other attributes require a less strict access control. Full access is given to all entities involved in the provisioning process: Oracle directory integration and provisioning servers, provisioning administrators, application entities, and provisioning profiles. All other users receive no access to these attributes.
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|