Security and the Oracle Directory Provisioning Integration Service

This section describes the principal entities in the provisioning integration process and the privileges they need to complete various operations. It contains these topics:

• The Need to Control Access to Provisioning Profiles

• Entities Needing Access

• Entry-Level Privileges Granted to Entities

• Attribute-Level Privileges Granted to Entities

The Need to Control Access to Provisioning Profiles

There are important reasons to control access to the provisioning profiles of applications:

• These profiles contain confidential information about the application--information that should not be viewable by unauthorized directory entities

• Providing provisioning events to applications consumes system resources. You should therefore limit the number of those who can provision applications.

Entities Needing Access

The access that you grant to entities to operate on profiles depends on the delegation needs of the applications. Entities that need controlled access to the provisioning profiles are:

• The Oracle directory integration and provisioning server group--that is, cn=odisgroup,cn=odi,cn=oracle internet directory

• Provisioning administrators--that is, cn=Provisioning Admins, cn=Provisioning Profiles...

• Application Entities--that is, users for whom the value of the orclGUID attribute is orclODIPProvisioningAppGUID)

• Provisioning profiles--that is, users identified by the DN of the provisioning profiles

• All other users

Applications do not automatically have the rights to create provisioning profiles. Rather, only an LDAP identity with privileges to administer provisioning profiles can create them.

Provisioning administrators are modeled as a group and can perform any operation on the provisioning profiles. All other identities have lesser privileges.

Entry-Level Privileges Granted to Entities

Table 34-1 shows the entry-level privileges granted to each entity.

Table 34-1  Entry-Level Privileges

User Category	Browse	Add	Delete	Explanation
Oracle directory integration and provisioning server	Yes	No	Yes	Oracle directory integration and provisioning servers need to: Browse all provisioning profiles Delete some rogue provisioning profiles that the applications did not bother to delete However, Oracle directory integration and provisioning servers should not have access to add new provisioning profiles.
Provisioning administrators	Yes	Yes	Yes	The provisioning administrators group requires all privileges.
Application entities	Yes	No	Yes	Application entities themselves cannot create provisioning profiles, nor can they view another application's profiles. However, once a profile has been created, they can browse, modify, and delete their own profiles.
Provisioning profiles	Yes	No	No	Provisioning profiles also have an identity in the directory. For 10g (9.0.4), this identity is not used, and hence it has the privilege only to perform a self-browse.
All other users	No	No	No	All other users should not be able to either browse, add, or delete provisioning profiles.

Attribute-Level Privileges Granted to Entities

Provisioning profiles contain security-sensitive attributes that need protection from unauthorized access. Table 34-2 describes them.

Table 34-2   Attribute Level Privileges Granted to Entities

Attribute	Description
userpassword	Stores the directory user password
orclPasswordAttribute	Stores the clear text version of the directory user password
orclODIPProfileInterfaceConnectInformation	Stores details of the connection information to the target application, including the password to the target system
orclODIPProfileInterfaceAdditionalInformation	Stores any interface-specific information

Table 34-3 describes the access control for the secure attributes for the main entities operating on the provisioning profiles.

Table 34-3  Access Control for Secure Attributes

User Category	Read	Write	Search	Compare	Explanation
Oracle directory integration and provisioning servers	Yes	No	Yes	Yes	Oracle directory integration and provisioning servers need access to the secure attributes to complete their processing cycles. However, they do not need write access to them because these attributes should only be controlled by the Application Entities as well as Provisioning Admins.
Provisioning administrators	Yes	Yes	Yes	Yes	Provisioning administrators must be able to solve integration problems, and this requires full access to the secure attributes.
Application entities	Yes	Yes	Yes	Yes	Application entities are the real owners of the secure attributes, and this requires full access to the secure attributes.
Provisioning profiles	Yes	No	Yes	No	Provisioning profiles do not need to write or compare these attributes. As a result, they need only read and search privileges.
All other users	No	No	No	No	All other users receive no privileges.

Table 34-4 shows the access control for all other attributes in the provisioning profiles.

Table 34-4  Access Control for All Other Attributes

User Category	Read	Write	Search	Compare
Oracle directory integration and provisioning servers	Yes	Yes	Yes	Yes
Provisioning administrators	Yes	Yes	Yes	Yes
Application entities	Yes	Yes	Yes	Yes
Provisioning profiles	Yes	Yes	Yes	Yes
All other users	No	No	No	No

Unlike secure attributes, the other attributes require a less strict access control. Full access is given to all entities involved in the provisioning process: Oracle directory integration and provisioning servers, provisioning administrators, application entities, and provisioning profiles. All other users receive no access to these attributes.