| Oracle® Identity Management Infrastructure Administrator's Guide 10g (10.1.4.0.1) Part Number B15994-01 |
|
|
View PDF |
| Oracle® Identity Management Infrastructure Administrator's Guide 10g (10.1.4.0.1) Part Number B15994-01 |
|
|
View PDF |
This chapter describes how to administer and use the identity management infrastructure, including administering users with Oracle Delegated Administration Services, as well as considerations for administering the infrastructure itself.
Considerations for supporting Oracle and third-party application deployments with the identity management infrastructure are also described.
This chapter contains the following topics:
After a successful deployment, there are a number administrative tasks involved in managing the identity management infrastructure, including routine monitoring, managing individual components of, and managing enterprise data within the identity management infrastructure.
This section contains the following topics:
Routine Monitoring of the Identity Management Infrastructure
Managing Individual Identity Management Infrastructure Components
Managing Enterprise Data in the Identity Management Infrastructure
Table 4-1 describes the various tasks, tools, and references necessary to perform routine monitoring of the identity management infrastructure.
Table 4-1 Routine Monitoring Tasks
| Task | Tools | Additional References |
|---|---|---|
|
Monitoring the status and performance of the Oracle Internet Directory server |
|
|
|
Monitoring the status of Oracle Directory Integration Platform |
|
|
|
Monitoring the status of Oracle Delegated Administration Services |
|
|
|
Monitoring the status of OracleAS Single Sign-On |
|
|
Table 4-2 describes the various tasks, tools, and references necessary for managing individual components of the identity management infrastructure.
Table 4-2 Managing Identity Management Infrastructure Components
| Task | Tools | Additional References |
|---|---|---|
|
Starting and stopping directory services |
|
|
|
Configuring directory services |
Oracle Directory Manager |
Oracle Internet Directory Administrator's Guide |
|
Starting and stopping Oracle Directory Integration Platform services |
|
Oracle Identity Management Integration Guide |
|
Configuring Oracle Directory Integration Platform |
|
Oracle Identity Management Integration Guide |
|
Starting and stopping Oracle Delegated Administration Services |
|
|
|
Configuring Oracle Delegated Administration Services |
Oracle Delegated Administration Services Configuration tab |
Oracle Identity Management Guide to Delegated Administration |
|
Starting and stopping OracleAS Single Sign-On |
|
|
|
Registering a partner application with OracleAS Single Sign-On |
|
Oracle Application Server Single Sign-On Administrator's Guide |
In addition to monitoring and managing individual components, Table 4-3 describes tasks, tools, and references available to enterprises for managing their data (users, groups, applications, and policies) within the identity management infrastructure.
Table 4-3 Managing Enterprise Data
| Task | Tools | Additional References |
|---|---|---|
|
User management (adding, deleting, and modifying users) |
|
Oracle Internet Directory Administrator's Guide |
|
Group management (adding, deleting, and modifying groups) |
|
Oracle Internet Directory Administrator's Guide |
|
Application deployment security management |
|
|
|
Delegation of privileges |
|
Oracle Internet Directory Administrator's Guide |
|
OracleAS Single Sign-On partner and external applications administration |
OracleAS Single Sign-On Administration Application |
Oracle Application Server Single Sign-On Administrator's Guide |
The delegation model supported by the identity management infrastructure is customizable to align with the security requirements of the enterprise. The deployment uses the identity management infrastructure to manage enterprise identities, manage enterprise groups and roles, and manage applications that rely on enterprise identities and groups.
This section contains the following topics:
As shown in Figure 4-1, the final targets for delegation of user management privileges are either Oracle components that use the identity management infrastructure or end users. A privilege can be delegated to either an identity, such as a user or an application, or to a role or group.
In a typical deployment, the Oracle Internet Directory super user creates an identity management realm and identifies a special user in that realm to be the identity management realm administrator. The super user delegates all privileges to the new identity management realm administrator who, in turn, delegates certain privileges required by Oracle components to the Oracle defined roles, such as Oracle Application Server administrators. The Oracle components are granted these roles when they are deployed.
In addition to delegating the necessary privileges to Oracle defined roles, the realm administrator can also define deployment-specific roles, such as help desk administrator, and delegate specific privileges to them. The respective administrators, in turn, grant these roles to the users.
Because most of the user management tasks are self-service oriented, such as changing phone numbers, language preferences, and application specific preferences stored in Oracle Internet Directory, these privileges can be delegated to the users by both the realm administrator and the Oracle application components.
As with delegating user management, the final targets for delegation of group management privileges are either Oracle components that use the identity management infrastructure, or users, as shown in Figure 4-1.
The Oracle Internet Directory super user delegates all group-related privileges within the realm to the identity management realm administrator who, in turn, delegates certain group management privileges required by Oracle components to the Oracle defined roles. The Oracle components are granted these roles when they are deployed.
In addition to delegating the necessary privileges to Oracle defined roles, the realm administrator can also define deployment-specific roles, such as help desk administrator, and delegate specific privileges to them. The respective administrators, in turn, grant these roles to users.
Once a group is created, one or more owners of the group can be identified and all subsequent management of the group can be delegated to the owners, who are typically users. These owners can use the self-service console to manage the groups based on the privileges granted to them.
The set of privileges required for Oracle component deployment and administration can be separated into two categories: deployment-time privileges and run-time privileges.
Deployment-time privileges refer to those privileges that are required to create the appropriate entries inside the directory, and for storing the meta-information in a common repository. By having a centralized repository, the component can be run from multiple nodes without any further administrative steps.
Run-time privileges refer to those privileges that are required to facilitate the run-time interactions of Oracle components within the identity management infrastructure. These include the privileges to view user attributes, add new users, and modify the group membership. For all Oracle components, the component-specific administration tool requires a certain set of privileges to access, or make appropriate entries into, Oracle Internet Directory.
Figure 4-2 illustrates the delegation of deployment-time and run-time privileges in the identity management infrastructure.
In Figure 4-2, note that the super user grants certain deployment privileges to groups, which, during the deployment process, are granted to certain users for installing specific Oracle components by making them members of those groups. As part of the installation process, the component installer then grants specific run-time privileges to the component.
|
Note: Even though most Oracle components ship with a preconfigured set of privileges, it is always possible to change the privileges to satisfy specific business requirements. |
Oracle Delegated Administration Services allows the enterprise to assign administrative responsibilities according to the business requirements. It provides different levels of security policies for different components of the enterprise, such that specific administrators, or sets of administrators, can independently manage access to their resources, and yet not create different silos of security information.
The Oracle Internet Directory-based multi tier delegation architecture supports millions of users in multiple realms, management domains, applications, business units, and geographies. In combination with the centralized repository, the identity management infrastructure enables decentralized administration, and lowers the total cost of ownership.
One of the challenges faced by application designers is being able to invoke the user management and resource management with consistent security and use semantics across applications. For example, if multiple applications need to manage groups, they should not be required to understand the various steps required to implement group management and the directory access control list (ACL) semantics.
The user interfaces for the identity management infrastructure system privileges can be divided into various delegated administration service units (DAS service units), which can then be combined by the application console. For example, if the application console needs to be used to modify a user attribute, it would integrate the link for the appropriate DAS service unit in its console or portal page, without having to create the user interface.
The various DAS service units can also be used to build self-service applications, which can be used to update attributes, such as language preferences and home address. Thus, the DAS service units-based integration approach provides for consistent security semantics, consistent usage model, and reuse of the components.
