Oracle® Internet Directory Administrator's Guide 10g (9.0.4) Part Number B12118-01 |
|
Delegation of Privileges for an Oracle Technology Deployment, 5 of 5
Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. For example:
To do this, the Oracle Application Server Single Sign-On server needs permission to compare user passwords. To set up the Oracle Application Server Single Sign-On cookie, it needs permission to read user attributes.
In general, Oracle components can require these privileges:
Most Oracle components ship with a preconfigured set of privileges. You can change these default privileges to satisfy specific business requirements--for example, by removing privileges to create and delete user entries.
See Also:
Oracle Application Server 10g Security Guide for further information about the component delegation model |
This section describes the security privileges required by Oracle components. It contains these topics:
Reading and modifying user passwords requires administrative privileges on the security-related attributes in the directory--for example, the userPassword
attribute. It requires membership in the User Security Administrators Group described in Table 17-14.
Comparing user passwords requires permission to compare a user's userPassword
attribute. This operation is performed by components such as Oracle Unified Messaging that authenticate end users by using their passwords stored in Oracle Internet Directory.
Comparing user passwords requires membership in the Authentication Services Group described in Table 17-15.
To compare password verifiers, a user must have permission to compare the userpassword
attribute. Comparing password verifiers requires membership in the Verifier Services Group described in Table 17-16.
A proxy user has the privilege to impersonate an end user, performing on that user's behalf those operations for which that user has privileges. In an Oracle Application Server environment, the Oracle Delegated Administration Services proxies on behalf of the end user, and, through the Oracle Internet Directory Self-Service Console, performs operations on that user's behalf. In such a case, the access controls on the directory server eventually govern the operations that the user can perform.
Proxying on behalf of end users requires membership in the User Proxy Privilege Group described in Table 17-17.
To manage a specific Oracle Context, a user must have complete access to it. Managing an Oracle Context requires membership in the Oracle Context Administrators Group described in Table 17-18. An Oracle Context Administrators Group exists for each Oracle Context and has administrative permission in the specific Oracle Context.
Common user attributes are: mail
, orclguid
, displayname
, preferredlanguage
, orcltime
, gender
, dateofbirth
, telephonenumber
, wirelessaccountnumber
. To read these attributes requires membership in the Common User Attributes Group described in Table 17-19.
Common group attributes are: cn
, uniquemember
, displayname
, and description
. To read these attributes requires membership in the Common Group Attributes Group described in Table 17-20.
|
![]() Copyright © 1999, 2003 Oracle Corporation. All Rights Reserved. |
|