| Oracle® Access Manager Introduction 10g (10.1.4.0.1) Part Number B25342-01 |
|
|
View PDF |
| Oracle® Access Manager Introduction 10g (10.1.4.0.1) Part Number B25342-01 |
|
|
View PDF |
access administrator
A user able to modify data within the Access System. The Master Administrator and Master Access Administrators can modify any of this data. Delegated Access Administrators may modify only subsets of this data.
access client
An Access System component that monitors attempts to access a Web site and uses the Access Server to provide authorization and authentication services prior to completing the access requests. It can be either the Access System-provided client (WebGate) or a client that is built into an application server or standalone application by using the Access Manager API. See also AccessGate.
access control
The protection of system resources against unauthorized use. The process is regulated according to a security policy and permits only authorized system entities (users, programs, processes, or other systems) to access the resource. See also ACL (access control list).
Access Manager API
A collection of libraries, build instructions, and examples that can be used to build a customer-specific AccessGate for non-Web resources. This helps the customer to extend authorization and authentication rules to other resources in addition to URLs, and to control user interaction with applications outside of Oracle Access Manager. In this way, customers can have centralized policy information in a single system that can be leveraged across both Web and non-Web resources. This API can integrate with Java and C/C++ applications. The Java API allows application servers and other Java-based systems to leverage Oracle Access Manager infrastructure. The C/C++ API allows client/server or non-Java applications to leverage Oracle Access Manager infrastructure. The API is available as a distinct product. See also API (Application Programming Interface).
Access Manager SDK
Also known as the Software Developer Kit, is an optional component that is installed independently as described in the Oracle Access Manager Developer Guide. The SDK provides all the information and resources you need to build a custom access client (AccessGate) (as well as the Policy Manager API). In addition to the files that make up the various implementations of the Access Manager API, the SDK includes documentation and code samples, which show how to construct simple AccessGate servlets or applications for each of the supported development platforms.
Access Server
This standalone server (of which there can be several instances) provides dynamic policy evaluation services for both Web-based and non-Web resources and applications. Different applications and web servers can make use of the authentication, authorization, and auditing services it provides.
Access System
This system allows companies to do policy-based authorization and Web single sign-on. Companies can set up security policies to control access to Web and non-Web resources and audit the usage (such as applications, content, services, and objects in applications). It provides the following applications and components:
Policy Manager
Access Server
WebGate/AccessGate
Despite the change in product name from NetPoint to Oracle Access Manager, you may see the term NPAS.
Access Tester
The Policy Manager tool used to determine whether a policy domain's authentication, authorization, and auditing rules deliver the level of access control required.
AccessGate
A custom WebGate developed using the Access Manager SDK. An AccessGate is a form of access client that processes requests for Web and non-Web resources from users or applications and uses the Access Server to provide authorization and authentication services to monitor and control attempts to access a Web site. Customers can also use the Access Manager API to build a client into an application server or standalone application. Oracle Access Manager provides an out-of-the-box WebGate client. See also WebGate.
ACI (access control item)
An entry in an access control list (ACL) specifying users, their access rights, and the target entries or attributes to which those rights apply.
ACL (access control list)
The set of roles and policies used for controlling access to resources such as directories and Oracle Access Manager applications. The ACL describes the users or groups, the type of access permitted and the attributes being accessed.
action
A task within a Oracle Access Manager workflow that results in changed information (for example, a change to a user's phone number).
activate
The process followed to make a user's directory information accessible within Oracle Access Manager. See also deactivate.
AL32UTF8
The Oracle UTF-8 character set that maps to the latest version of the Unicode Standard (Unicode 4.0) and provides support for newly defined supplementary characters.
API (Application Programming Interface)
A set of commands used to extend the capabilities of an existing application. APIs contain a library of functions and an interface that can be easily added to the application.
application
A program that performs any one of the tasks for which a computer is used. Oracle Access Manager applications include User Manager, Group Manager, Org. Manager, Policy Manager.
ASCII
Most modern character encodings have an historical basis in ASCII, which is the most common format for text files in computers and on the Internet. In an ASCII file, each alphabetic, numeric, or special character is represented with a 7-bit binary number.
attribute
A characteristic or trait associated with a directory object, which can have one or more values. For example, the object class ÒpersonÓ can be identified with the attribute ÒcnÓ with the specific value: ÒJoe SmithÓ.
audit
The process of collecting information on Oracle Access Manager system events such as authentication success or authorization failure, and which user or administrator triggered them. This data, when presented in report form, helps Master Administrators understand Oracle Access Manager usage patterns.
audit files
Disk files that record audit information. Each Access Server and Identity Server can record audit information to a file, to the consolidated audit database, or to both.
audit file rotation
The process by which a specified audit file is closed, stamped with the date and time, and given a new name. When an audit log is closed, a new audit log file is created.
audit rule
A named filter that determines the tracking level of the authentication and authorization activities performed by an Access Server.
Auditing Services
Provide flexible and detailed recording of events in the Access System and Identity System. You can use this information both for security purposes and for monitoring Oracle Access Manager system usage. Audit files enable you to detect intrusion threats, monitor security, and create business-level reports by integrating with third party products such as Crystal Reports.
authentication
The process of establishing and proving a user's identity. In the world of brick-and-mortar business transactions, this process is often a visual one (comparing the information on a document such as a driver's license with the bearer of that document.) Electronic, online transactions require a more complex authentication method.
authentication plug-in
A set of instructions for performing authentication. Oracle Access Manager provides default authentication instructions. Customers can also write their own plug-ins using the Authentication Plug-in API.
Authentication Plug-in API
An Access System standard API used to create customer-defined authentication plug-ins. For use within authentication schemes and chained authentication processes to be used by Oracle Access Manager.
authentication rule
A named logic flow that describes the process to get an authentication result, generally over a set of resources within a Oracle Access Manager policy domain. An authentication rule generally contains an authentication scheme.
authentication scheme
A named set of plug-ins that defines the challenge method and steps required to authenticate a user.
Authentication Services
Provide a generalized means to authenticate users and systems when they try to access resources protected by Oracle Access Manager. These services support not only the basic username and password authentication method but also stronger methods such as digital certificates or SecurID cards. You can further expand the authentication capabilities with the Oracle Access Manager Authentication Plug-in API. Once a user is authenticated by the authentication services, Oracle Access Manager creates a single-sign-on session for the client that frees the user from having to sign on again to access other resources or applications.
authorization
The process that determines the access permitted to users after they have been authenticated.
authorization plug-in
A set of instructions for performing authorization, which can be included in an authorization scheme to extend the set of Oracle Access Manager default authorization schemes. Customers can write their own plug-ins using the Authorization Plug-in API.
Authorization Plug-in API
An Access System standard API, used to create customer-defined plug-ins for use within authorization schemes to be used by Oracle Access Manager. This API allows customers to extend policy evaluations through dynamic call outs to custom code. As an example, a policy administrator can set a policy that allows an end user to access some resource if their bank balance exceeds a certain amount. Use the Authorization Plug-in API to check the bank balance that resides in a database.
authorization rule
A named logic flow that describes the process to be followed to get an authorization result, generally over a set of resources within a Oracle Access Manager policy domain. An authorization rule usually contains an authorization scheme.
authorization scheme
A named link to a shared library holding an authorization plug-in that defines a method to be used to authorize a user.
Authorization Services
Once a user or system is authenticated, these services specify what information they can access. They deliver the centralized, consistent management of policies across applications, while providing users granular access to Web-based content and resources. This capability gives growing e-business organizations the control and consistency they require for secure, sensitive information, while helping ensure that users and systems have easy access to the information and applications they need.
auxiliary object class
An object class that contains supplementary attributes not necessarily found in a structural object class; also called mix-in classes because they allow additional attributes to be Òmixed intoÓ an existing class. An auxiliary object class cannot stand by itself. Its attributes must be assigned to an entry that is based on an existing object class.
CA (Certification Authority)
Certifies the mapping of the public and private key pair with the subject identity (user name, email, machine name, and so on) by digital signature.
cert
A transport security mode under which the data transferred between points is encrypted using SSL and a public key certificate. Transport security between all Identity System components must match. Transport security between all Access System components must match.
certificate
A collection of data used for authentication, which uniquely associates an entity (for example, an individual, a company, or a machine) with a public encryption key. The ITU-T Recommendation X.509 is the most widely used format for providing this information. A certificate is issued by a CA.
class
In object-oriented programming, a class is a template definition of the method and variable in a particular kind of object. Specific to Oracle Access Manager, the Access Manager API uses a library based on Java classes. For directories, see object class.
Cloning
Instead of using the command line or the installation GUI to install a Oracle Access Manager component, you can automatically install a component by cloning the configuration of an already-installed component. Cloning creates a copy of a component on a remote system using an already-installed component as a template.
CMS (Cryptographic Message Syntax)
The Internet standards track protocol that is used to digitally sign, digest, authenticate, or encrypt arbitrary messages.
component
A part. For Oracle Access Manager, any of its major out of the box parts, such as the Identity Server, WebPass, Policy Manager, WebGate, Access Server.
configuration data
Oracle Access Manager configuration settings (also known as Oracle specific data). See also Oracle Specific Data (OSD).
configuration DN
The node in the directory tree under which the schema information that defines all Oracle Access Manager operations is stored.
container
An object in an LDAP directory that contains other objects. For example, the object dc=yourcompany may contain the ou=marketing and ou=engineering objects. These objects may in turn contain other objects.
CSV (character-separated value)
A method of representing data that was originally stored as a number of variable length fields within a record. The data is extracted as a series of variable length text strings, separated by some defined character (often a comma). Also a file extension type, as in myfile.csv.
Data Anywhere
The data management layer (formerly known as COREid Data Anywhere) aggregates and consolidates data from RDBMS and LDAP directories into a virtual LDAP tree that can be managed by the Identity System and used to support authentication and authorization using the Access System. Data Anywhere supports multiple LDAP environments, RDBMS databases, and split directory profiles using the Oracle Virtual Directory Server (VDS, formerly OctetString VDE). See the Oracle Access Manager Installation Guide.
Data Management Services
Allow companies to set fine-grained attribute-level access controls for managing users, groups, and organizations. Setting attribute-level access controls determines self-service and modify rights. Customers can also specify a restricted searchbase used for display and modification of information for different audiences. These services reduce the costs of identity administration and enforce security for data changes.
data type
A syntax type describing how the values for an attribute are stored. Oracle Access Manager supports the following data types: Binary, Distinguished Name, Integer, Postal Address, String Case-insensitive, String Case-sensitive, and Telephone. The data type helps determine what display type Oracle Access Manager uses to portray that attribute.
deactivate
In the Oracle Access Manager environment, deactivate means to make objects inaccessible but not remove them from the directory. For example, users who have had their identity profiles deactivated cannot log in to the system, and their identities are not found during searches.
deactivate user
The immediate removal of a user's access privileges. Deactivation is done system-wide and without going through standard workflow processes.
default audit rule
The audit rule that applies to a policy domain if there are no more specific audit rules defined for the domain. Also called the master audit rule.
default authentication rule
The authentication rule that applies to a policy domain unless there are more specific authentication rules defined for the domain.
default authorization rule
The authorization rule that applies to a policy domain unless there are more specific authorization rules defined for the domain.
default rules
Blanket rules that apply to all resources within a policy domain, created to ensure that access is always controlled. The default rules apply for authentication, authorization, and auditing, unless overridden by more specific rules.
delegated access administrator
Administrators who have only the right to perform tasks that a Master Access Administrator delegates to them. See access administrator.
delegated identity administrator
Administrator with responsibilities delegated by the Master Identity Administrator. Delegated Identity Administrators have responsibilities for functions under the Configuration tab in each Identity System application (User Manager, Group Manager, and Organization Manager). This includes delegation administration, attribute access control, and workflow definition.
delegation
The sharing of authority. The authority to change directory information or perform tasks can be delegated. Also, the authority to delegate can itself be delegated. For example, the Oracle Access Manager Administrator delegates responsibility for the Identity System and the power to delegate to a master identity administrator who might then delegate the power to start certain workflows to a delegated identity administrator.
delete
To remove the profile information for an object from the LDAP directory. User profiles must be deactivated before you can delete them. Oracle recommends you archive your profiles before you delete them.
derived attribute
A stored pointer from an entry in one object class to a target entry in another object class, based upon matching information in the two classes.
directory
A directory is a specialized database optimized for frequent read operations. A directory organizes data in a hierarchical information model, represented as a directory tree. A tree contains entries, which are made up of attributes and their values.
directory server
A server specifically designed to manage a directory of users and resources. The directory server provides for the retrieval and storage of data, in contrast to a web server that serves up pages from a Web site.
directory service
The collection of hardware, software, processes, and administrative policies required to make the directory's information available to users.
disable
User Manager only. Deactivates a user, which means the user cannot be recognized by the Identity System once the user's current session has ended. Deactivation takes effect the next time the user attempts to log in. Deactivating does not delete the object from the directory. This action does not require a participant.
display name
For Oracle Access Manager, the user-provided descriptive text associated with an attribute that appears in reports and screens in place of the formal directory attribute name. For example, an attribute with the name departmentnumber could be shown as ÒDept. #,Ó ÒDepartment Number,Ó or ÒDEP-IDÓ in the Display Name field.
display type
The format in which Oracle Access Manager displays stored directory information. Display types available to an attribute are determined by its associated data type and semantic type. Examples of display types are Check Box, Multi-Line Text, and Radio Buttons.
distinguished name (DN)
A string that uniquely identifies each entry in an LDAP directory. DNs are organized in a hierarchy; each consisting of the name of an entry plus a path of names tracing the DIT (directory information tree) entry back to the root of the DIT.
DIT (directory information tree)
The directory's hierarchical structure, containing all data objects.
DLL (dynamically linked library)
See DSO (dynamic shared object). The term DLL is more common in the Windows environment, but the two terms are synonymous.
DN
Distinguished name. A string that uniquely identifies each entry in an LDAP directory. DNs are organized in a hierarchy; each consisting of the name of an entry plus a path of names tracing the entry back to the root of the directory information tree (DIT).
domain attribute
Domain attributes help you specify mutually exclusive sets of users, regardless of their location on the directory tree.
DSO (dynamic shared object)
The generic term for a library of software routines or data resources that has been specifically packaged to be linked with application programs when they are loaded by the operating system, or later when explicitly requested by the applications. If many running programs require services from the same library, the operating system can share elements of the library, and achieve significant savings in resources. Synonym: DLL (dynamically shared library).
dynamic group
A group whose list of members is dynamically generated (for example, by exercising an LDAP rule). Group membership can vary as users meet or do not meet the membership criteria
Dynamic Participants
One or more users selected based on runtime LDAP-attribute values or business logic. All possible sets of dynamic participants for a given step are specified by person, group, role, or rule in a workflow plug-in or application, which executes when workflow execution reaches that step.
embedded virtual data source
A virtual object that VDS ÒseesÓ as a target data store it can present to Oracle Access Manager or federate in a virtual directory, then present to Oracle Access Manager. Each embedded virtual data store aggregates two or more target data stores. The three types of embedded virtual data stores are: split profile, native RDBMS Join, and native RDBMS View. In general, embedded virtual data stores are suitable for authentication and authorization activities only, because they necessarily involve secondary data sources, which are sometimes not available for the full range of Oracle Access Manager identity management activities.
enable
The automated process that makes a user's directory information accessible within the Identity System. This process does not require user intervention. See also activate, deactivate, and disable.
entry
The most basic unit of information stored in a directory. Consists of one or more attributes and their values.
fat tree
A directory tree structure that contains many container objects all at the same level. For example, a fat tree may contain150 organizations, each holding a few people, within a company.
federation
A term used to describe the method by which Oracle Virtual Directory Server (VDS) makes a data source visible in the virtual directory it presents to Oracle Access Manager. All the data for a given user profile comes from a single data store such as an LDAP directory, a single-table database, or an embedded virtual data source. Different user profiles can come from different federated data stores.
flat tree
A directory tree structure that contains a large number of objects under one container. For example, a flat tree may consist of 150 people within a single organization within a company.
globalization
Provides multi-lingual applications and software products that can be accessed and run anywhere simultaneously, without modification, while rendering content in the native user's language and locale preferences. Oracle Access Manager 10g (10.1.4.0.1) has undergone a globalization process.
Group Manager
This application allows companies to create/delete groups, delegate group administration, and allow users to subscribe/unsubscribe from groups. Group management can be delegated.
group type
A label describing how group content is constructed. The Group Manager supports static, nested, and dynamic group types.
host ID
The label by which a computer can be identified. Labels include a host URL (such as oracle.com:80) and IP address (such as 111.111.11.1:80).
Identity Event Plug-in API
A standard component installed with the Identity Server. It enables you to extend the business logic of the Identity System by calling out to other systems before or after an event happens in the Identity System. Some of the uses of this API are to: bring data from external systems back into the Identity System; perform data validation; and pre-populate fields based on other information provided.
identity management
The creation, removal, and ongoing changes of identity information relating to individual users, groups, and organizations. The determination of whether or not a person qualifies for an access privilege. This can be determined by a specific user attribute value, membership in a group, or association with an organization.
identity profile
A collection of directory information describing a user object, such as a telephone number, password, location, and reporting relationship. See also profile.
Identity Server
This standalone server (of which there can be several instances) processes all the requests related to user identity, group, organization, and credentials management requests
Identity System
(Formerly the NetPoint COREid Identity System) Allows companies to create, remove, and manage ongoing changes of identity information relating to individual users, groups, and organizations. It also allows companies to manage which access privileges a user should get. The system provides the following applications and components:
User Manager
Group ManagerOrganization ManagerIdentity ServerWebPass
Identity Workflow
Allow customers to have a flexible workflow engine to which they can map their business processes without restrictions. Users and systems can submit requests that can go through multiple steps and be routed internally or externally. Customers can set workflow definitions for:
Creating, deleting, and modifying users, groups and organizations
Subscribing to groups and unsubscribing Self-registration of users and organizations
Issuing, revoking, and renewing certificates
IdentityXML
Allows applications and systems to access Identity System functionality programmatically through XML. You can access the Identity System functionality without having to go through a Web browser. Applications and systems can access or modify centralized information about users, groups, organizations through XML. IdentityXML allows for cross firewall integration without the need to expose the customer directory.
idle session
A session that has generated no requests from the browser for a specified time period known as the idle session timeout. Oracle Access Manager considers such sessions to be inactive or idle. Oracle Access Manager terminates idle sessions automatically after the idle session timeout elapses.
idle session timeout
The number of minutes that must pass with no requests from the browser to consider the session to be inactive or idle. The Identity System terminates idle sessions automatically after the idle session timeout elapses. The default idle session timeout is 180 minutes. You can change this value in the Identity System Console.
Integration Services
Allow developers to leverage the capabilities of Oracle Access Manager across all of their applications and e-business efforts and extend the value of Oracle Access Manager by providing integration points with other vendors' systems and applications. These services consist of: Access Manager API, Authentication Plug-in API, Authorization Plug-in API, Identity Event Plug-in API, IdentityXML, Policy Manager API.
internationalization
The Oracle internationalization standard requires software products and applications, such as Oracle Access Manager, to be usable on any language operating system with non-US keyboards or other country specific hardware. Applications do not have hard-coded dependencies on language strings, do inter-operate with non-US versions of other products, can handle multibyte characters and differences in a distributed environment, and can detect the user's desired locale. Oracle Access Manager10g (10.1.4.0.1) meets these requirements.
ISAPI (Internet Server Application Programming Interface)
An Internet Web server extension, which Oracle Access Manager uses to communicate with Microsoft Internet Information Server (IIS). ISAPI extends the functionality of IIS by allowing programmers to create modules that add or replace functionality, such as authentication, authorization, error logging, or content generation.
Latin-1
Earlier releases of Oracle Access Manager (originally known as Oblix NetPoint) supported only the Latin-1 encoding and character set, known formally as ISO/IEC 8859 and informally as ISO 8859. ISO 8859-1 Latin-1 encodings can be represented in a single byte (8-bits) in computer memory and enable support for various Western European languages. Oracle Access Manager 10g (10.1.4.0.1) supports UTF-8 and supports backward compatibility with older environments upgraded to 10g (10.1.4.0.1). See also UTF-8.
LCA (Local Certificate Authority)
A CA located within the same firewall as your Oracle Access Manager installation.
LDAP (lightweight directory access protocol)
A standard protocol for managing information in a directory.
LDAP filter
A string of characters interpreted by LDAP to generate custom search results. Also known as an LDAP rule.
LDAP URL rule
In the Access System, a rule which follows the formal LDAP URL syntax and specifies a host, port and user combination that can be accessed.
LDIF (LDAP Data Interchange Format)
A file format used to import or export data from an LDAP directory or database. LDIF files are ASCII text files that represent data in a format that is recognizable to an LDAP directory or database.
localization
Includes translation of separated file text. In Oracle products, including Oracle Access Manager, information is presented to the user in a manner consistent with the user's local cultural conventions, including data formatting, collation, currency, date, time, and directionality of text (right-to-left or left-to-right).
localized access control
An Oracle Access Manager feature that lets an administrator restrict users and groups to searching only a permitted domain within the LDAP directory. It also restricts delegated administrators to hiring only within permitted domains.
logging
The process of collecting information about Oracle Access Manager program execution to assess the health of Oracle Access Manager system components, administrative changes to policies, configuration, and other events. Oracle Access Manager helps administrators to specify the types of events that are logged for each Oracle Access Manager application.
Master Access Administrator
The administrator who configures the Access System, including WebGates, Access Servers, authentication parameters, and the initial set of policy domains. In addition, master access administrators assign individuals to the delegated access administrator role. Master access administrators are assigned by the Oracle Access Manager Administrator. See also access administrator.
Master Administrator
The superuser, who is empowered to configure the deployment and assign administrative tasks. The Master Administrator is assigned when the Identity System is initially installed and set up. Through the System Console, this person can create additional Master Administrators as well as Master Access Administrators and Master Identity Administrators.
master audit rule
The audit rule that applies in the absence of audit rules created at the policy domain level.
master identity administrator
The administrator authorized to configure the Identity System. In addition, master identity administrators assign individuals to be delegated identity administrators. Master identity administrators are assigned by the Master Administrator.
monitoring
The process of collecting Small Network Monitoring Protocol (SNMP) data for assessing the health of a network hosting an Oracle Access Manager system. See also SNMP Agent.
multibyte
Refers to an encoding scheme or character set wherein a single codepoint value generates a bit pattern that is distributed over one to four bytes. For example, Unicode 8-bit encoding standard UTF-8 characters can be 1 byte, 2 bytes, 3 bytes, or 4 bytes. In contrast, each 7-bit ASCII character occupies 1 byte.
Multi-level Identity Delegation
Enables the delegation of identity administration to multiple levels of individuals throughout an e-business network. You can delegate rights such that some users can pass on the rights they have been given or a subset of them (delegate rights), or you can prevent someone who has received rights from passing them on to others (grant rights). There is no restriction on the number of delegation levels. Delegated identity management lowers overall administrative costs by distributing work across the entire e-business network.
Multi-level Policy Delegation
Enables the delegation of access policy administration to multiple levels of individuals throughout an e-business network. You can delegate rights such that some users can pass on the rights they have been given or a subset of them (delegate rights), or you can prevent someone who has received rights from passing them on to others (grant rights). There is no restriction on the number of delegation levels. Delegated policy management lowers overall administrative costs by distributing work across the entire e-business network.
multi-table database
A database that stores in more than one table the user profile attributes that get mapped into the virtual directory.
NAP (NetPoint Access Protocol)
The original name for the Oracle Access Protocol. See Oracle Access Protocol (OAP)
nested member
A member of a nested group. Membership indicates the nested group contains one or more groups that the member belongs to (either statically or dynamically).
NetPoint Access System (NPAS)
Despite the change in product name from NetPoint to Oracle Access Manager, you may see references to NPAS. See also Access System
NetPoint System Administrator (NPSA)
The component used for Web-based administration and configuration of the overall Oracle Access Manager system. Despite the change in product name from NetPoint to Oracle Access Manager, you may see references to NPSA.
NIP (NetPoint Identity Protocol)
The original name for the Oracle Access Protocol. See Oracle Identity Protocol (OIP)
NSAPI (Netscape Server Application Programming Interface)
The Internet web server extension that Oracle Access Manager uses to communicate with Netscape. NSAPI extends the functionality of Netscape servers by allowing programmers to create modules that add or replace functionality, such as authentication, authorization, error logging, or content generation.
object class
A group of common objects in an LDAP directory. An example is the person object class, which groups all attributes describing individuals.
object class attribute
The attribute the Oracle Access Manager applications use to reference object profiles during operations (such as search). User Manager uses an attribute that contains a user's name. Group Manager uses an attribute that contains a group's name. Organization Manager uses an attribute that contains an organization's name.
OIS (Oracle Identity Server)
The service name for the Oracle Identity Server (also known as the Identity Server). This component routes requests from the web server to perform transactions in the User Manager, Group Manager, and Organization Manager applications. This component is referred to as OIS.
open
A transport security mode where no authentication and no encryption is performed. For example, the AccessGate does not demand any proof of the Access Server's identity, and the Access Server accepts connections from all WebGates connected to it. Transport security between all Identity System components must match. Transport security between all Access System components must match.
optional attributes
During request processing, those attributes whose value specifications are defined as optional.
Oracle Access Manager
The Oracle unified solution, integrating identity management and Web access management for E-business networks. It contains two integrated modules: the Identity System (required) and the Access System (optional).
Oracle Access Protocol (OAP)
The protocol governing communications between Access System components (Policy Manager, Access Server, WebGate) and a Web server.
Oracle Identity Federation
Organizes an enterprise's user identification policies to allow a wide range of associates such as vendors, distributors and customers to access protected resources using authentication proofs from a variety of sources.
Oracle Identity Protocol (OIP)
The protocol governing communications between Identity System components (Identity Server, WebPass) and a Web server.
Oracle Specific Data (OSD)
Oracle Access Manager configuration settings (also known simply as configuration data). See also configuration data.
Organization Manager
This application allows companies to create and delete organizations and manage their ongoing changes. Organization management can be delegated.
Password Management Services
Provide comprehensive password management. Customers can specify multiple password policies, constraints on password composition, configurable password validity period and notification, forced password change, lost password management setup, and password creation/change rules.
Personalization Services
Oracle Access Manager enables personalization and Web SSO for other applications through HTTP header variables and redirection URLs. When Oracle Access Manager authenticates or authorizes user requests, the URL it returns can contain HTTP header variables, redirection URLs, or encrypted cookies. The HTTP header variables can contain any user data stored under the authenticated user's ID in the directory, thereby providing a rich source of information for personalization purposes on that particular user. The downstream application can decode this information and use it to personalize the user experience. You can also include a redirection URL in the URL returned by Oracle Access Manager after an authentication or authorization event. This redirection URL may take the user to another Web page, for example, tailored to the identity of the user. In addition to providing personalization services, an encrypted cookie can be included in the URL returned by Oracle Access Manager to enable Web single sign-on.
PKI (Public-Key Infrastructure)
A security infrastructure that provides services implemented by public key concepts and techniques.
policy
The set of authentication, authorization, and auditing rules that apply to one or more resource types within a policy domain. In the absence of a policy for a specific resource type, the default rules for all resource types in the policy domain apply.
policy-based authorization
The use of security policies for controlling access to Web and non-Web resources (such as applications, content, services, and objects in applications).
policy domain
A policy domain encompasses the resources you want to protect, the rules for protection, the policies for protection, and the administrative rights. Policy domains are defined in the Policy Manager.
Policy Manager
The application through which users can perform policy management, designation of resources (both Web and non-Web), and policy testing through simulated user access.
Policy Manager API
An Oracle Access Manager standard API (a subset of the Access Manager SDK) used to write applications that use the programmatic interface instead of the Policy Manager user interface to create, modify, delete, and retrieve policy domains and their contents and to allow custom applications to access the authentication, authorization, and auditing services of the Access Server. For more information, see Oracle Access Manager Developer Guide.
pooling
The process of defining a hierarchy of primary and secondary Access Servers. NetPoint Access System (NPAS) opens and closes connections to these Access Servers in order to evenly distribute the work load. See also NetPoint Access System (NPAS).
pooling Access Servers
The process of an Access Server opening or closing connections to Access Servers in order to maintain adequate load balancing.
Portal Inserts
Embeddable pieces of Oracle Access Manager functionality and workflows that are available as URLs and can be placed anywhere on a customer site or portal.
pre and post processing (PPP)
External actions that can take place before or after a step in an Identity System workflow. For example, an administrator can choose to have specific persons emailed after a workflow step takes place. Associated with the Identity Event Plug-in API.
Presentation Services
Allow companies to customize the user interface for the Identity System end-user applications and to integrate Oracle Access Manager functionality seamlessly into their portals. These services include: Portal Inserts and PresentationXML.
PresentationXML
Allows the Oracle Access Manager product user interface to be completely customized. The product outputs XML, and you can combine this output the with the XSL style sheets that Oracle provides to allow the customer to change the interface to fit their needs.
Query Builder
Oracle Access Manager feature that helps users create dynamic LDAP filters. Also known as the Filter Builder.
query string variables
Variables that allow you to determine who can send certain input parameters to a program, which in turn can control the behavior of the program itself.
reporting
The process of collecting Oracle Access Manager audit information in an SQL-compatible database and presenting this using one of the specially configured Crystal Report templates supplied by Oracle Access Manager.
request
An in-process workflow definition that was initiated by a user. Requests can include multiple tickets.
Required attributes
When you are defining a workflow step, any attributes you set as required must have values assigned to them when a user processes this workflow.
resource
Within Oracle Access Manager, the information or activity that can be protected by the Access Server. A policy domain is an example of a protected information resource, a method within an application is an example of a protected activity.
rights
An Oracle Access Manager Administrator (also known as the Master Administrator) can assign the following kinds of rights:View: Users with View rights can view the name and value of an assigned attribute in an object profile.
Modify: Users with Modify rights can change the value of an assigned attribute in an object profile.Notify: Users with Notify rights receive an email notification whenever an assigned attribute is changed.Basic: Administrators with Basic rights can assign View, Modify, or Notify permissions to users for all attributes under their control.Grant: Administrators with Grant rights can assign basic rights to users and other administrators for all attributes under their control.Delegate: Administrators with Delegate rights can assign grant and delegate rights to users and other administrators for all attributes under their control.
roles
The predefined lists of users. Roles can include all users, all managers, direct reports, and so on.
root directory
The first URL prefix entered into the system. This is the starting point for all policy domains.
rules
In Oracle Access Manager, the list of conditions during which access is allowed or denied and to which end user(s) these conditions apply. Rules also govern the way in which auditing is done.
SASL (simple authentication and security layer)
SASL provides a means for clients and servers to negotiate an authentication mechanism dynamically.
schema
A schema defines the type of information stored in a directory. It consists of object classes and attributes.
Security Services
Services that provide authentication, authorization, and auditing to all your applications and e-business efforts, as well as help users and administrators to manage passwords and certificates. These services include: Authentication Services, Authorization Services, Auditing Services, Password Management Services, and Certificate Management Services.
self registration
The process a new user can employ to gain limited access to your system through the initiation and processing of a self-registration workflow.
semantic type
Semantic types apply an Oracle Access Manager business rule to an attribute. Examples of business rules are reporting relationship and on-screen location of an end user's photo and job title.
shared secret
The feature that allows administrators to generate a cryptographic key that encrypts cookies sent from a WebGate to a browser.
signing authority
RSA signing identity that is hosted by the main domain site and can issue digital certificates to the associate domain site.
simple
A transport security mode where the communication between the Oracle Access Manager Web clients (Identity Server and WebPass, WebGate/AccessGate and Access Server, and Policy Manager and WebPass) is encrypted using TLS v1 (Transport Layer Security, RFC 2246) and protected with X.509 digital certificates and a global password. Transport security between all Identity System components must match. Transport security between all Access System components must match.
single sign-on (SSO)
The method of transparently accessing multiple protected web servers with only a single login. Users needing access to single-domain servers store a generated cookie, used for subsequent requests to the Web site. Users needing access to multi-domain servers store a cookie generated by a central Web login server; this is transparently done for each accessed server within the associated Web system.
single-table database
A single-table database does not necessarily refer to a database that contains just one table, but rather, a database that stores in just one table all the user profile attributes that get mapped into the top level virtual directory.
SNMP Agent
The Simple Network Management Protocol (SNMP) is an application-layer protocol that enables network devices to exchange information. By using SNMP-transported data (such as successful operations and failure conditions), administrators can monitor network performance and solve problems. The Oracle Access Manager SNMP agent enables you to implement SNMP-based data collection for the Identity Server and Access Server.
split profile
A special type of embedded virtual data source created from more than one data source. Each data store contributes some of the attributes necessary to complete the full set of user profile attributes that gets mapped into the VDS virtual directory. These attributes can come from LDAP directories or database tables. All the Oracle Access Manager user schema attributes must reside in the primary data store, because not all Oracle Access Manager operations can be performed on the attributes in the secondary stores.VDS can make a split profile visible to Oracle Access Manager as a standard LDAP directory. Alternatively, a split profile can be federated as part of a virtual directory. For an illustration, see the Oracle Access Manager Installation Guide.
SSL (Secure Sockets Layer)
A method for establishing an encrypted connection between a client and a server.
Static Participants
One or more users assigned responsibility for completing a given workflow step. These users are specified in the workflow applet by person, group, role or rule.
structural object class
Structural object classes contain basic attributes required for use within Identity applications. When you create a tab within an Identity application, you must assign a structural object class to it.
subclassing
The process of creating a new object class based on an existing object class and specifying that the existing class is its superior. The new object class inherits the set of required attribute types, the set of optional attribute types, and the kind of object class from its superior.
subflow
Subflows are workflows spawned by another workflow. Subflows operate independently and can spawn subflows of their own.
substitute administrator
Substitute administrators are users who have permission to temporarily take all of your rights and responsibilities. This is useful in the case of vacations or extended leaves, where the job needs to be done but it would be too difficult administratively to remove all permissions from the absent employee and assign them to someone else.
super directory
A special type of virtual directory that facilitates namespace mapping and directory-wise searches. It can contain any combination of federated LDAP directories, RDBMS databases, and embedded virtual data sources. The embedded virtual data sources can be split profiles, native RDBMS Joins, and native RDBMS Views. The super directory, which is the only supported method for producing a single, contiguous searchbase aggregated from multiple data stores, connects to Oracle Access Manager by means of a VDS local store adapter. For details, see the Oracle Access Manager Installation Guide.
superior
The class that another class inherits some of its characteristics from in the subclassing process.
Surrogate Participants
One or more users assigned workflow ticket-processing responsibilities whenever a given static participant or dynamic participant activates the Out of Office flag in his or her user profile. The surrogate receives incoming tickets as long as that Out of Office flag remains active.
synchronizing
Synchronizing enables you to harmonize two installations of the same Oracle Access Manager component when one is more up-to-date than the other. Synchronization can be used to upgrade or repair installations on similar platforms.
ticket
A pending activity for a user to perform (usually an administrator or delegated administrator). For workflows, the ticket ID contains an appended step ID number.
Time-based Escalation
Whenever a workflow ticket is not processed within a specified interval, responsibility for processing the ticket is transferred from the original participant who failed to act to a new participant, such as the manager of the original participant. If the new participant fails to process the ticket within the specified interval, the ticket is escalated again, and so on, until it ultimately reaches the Oracle Access Manager Administrator.
transport security mode
The method used to protect the information transfer path between two points, often a client and a server. In Oracle Access Manager, the transport security mode is most often used to highlight that the transfer path is secured (for example with SSL encryption) rather than left in the clear. See the Oracle Access Manager security modes: Open, Simple, and Cert. Transport security between all Identity System components must match. Transport security between all Access System components must match. Transport security between all Identity System components must match.
Unicode
A universal encoded character set that enables you to store information from any language using a single character set. Unicode provides a unique code value for every character, regardless of the platform, program, or language.
Unicode standard
The universal character encoding standard that provides a unique number for every character in any language (for example, English, European languages, Asian languages. This standard forms the basis for consistency in processing, storing, and interchanging text data for software and information technology protocols on any platform, for any program. See the Unicode Consortium Web site at http://www.unicode.org/ for more information.
URI
Uniform Resource Identifier - the generic term for the unique name of any resource on a network. A URL is one kind of URI.
URL pattern
The fine-grained portion of the policy domain's Web namespace is specified as a pattern. The specific URL pattern syntax is described in the Oracle Access Manager Identity and Common Administration Guide.
URL prefix
Starting point for your policy domain. The URL prefix maps to a directory on your web server's file system.
User Action Steps
Workflow steps that require explicit (non-automated) processing by a step participant.
User Manager
This application allows companies to create, remove, and manage ongoing changes in user identities and access privileges based on the user profile. User identity administration can be delegated.
UTF-8
Unicode Transformation Format 8(UTF-8). UTF-8 is a reasonably compact, variable-width encoding scheme. Oracle Access Manager supports UTF-8 encoded data in directory servers. The UTF-8 encoding form assigns each Unicode scalar value to an unsigned byte sequence of one to four bytes in length. The UTF-8 encoding scheme serializes a UTF-8 code-unit sequence in precisely the same order as the code-unit sequence itself.The UTF-8 encoding scheme, defined in Annex D of ISO/IEC 10646:2003, is a technical equivalent to definitions in the Unicode Standard.
UTF8
The UTF-8 encoded character set, by Oracle, based on Unicode version 2.1. Introduced with Oracle8 and 8 i. Oracle9i included an updated version of the Oracle UTF8 character set to support Unicode standard 3.0. To maintain compatibility with existing installations, the UTF8 character set will remain at Unicode version 3.0.
virtual directory
A logical, aggregated directory that presents user data drawn from multiple sources, just as if all that data came from a standard LDAP directory to which a customer-defined schema has been uniformly applied. For the purposes of integration, the Oracle Virtual Directory Server (VDS) does not create permanent copies of user profiles outside the native data sources. Rather, VDS retrieves and transforms each user profile as it is requested by an Oracle Access Manager application. For details, see the Oracle Access Manager Installation Guide.
virtual directory schema
This is the schema developed by the customer for use by the top-level directory that the Oracle Virtual Directory Server (VDS) makes visible to Oracle Access Manager. It must be extended with the Oracle Access Manager user schema. Optionally, you can further extend the virtual directory schema with customer attributes drawn from the target data sources. For details, see the Oracle Access Manager Installation Guide.
Web resources
Any subset of an HTTP URL. Typically, they can be Web pages, directories, CGI scripts, or Web-enabled applications.
Web server
Program that, using the client/server model and the World Wide Web's Hypertext Transfer Protocol (Hypertext Transfer Protocol), serves the files that form Web pages to Web users (whose computers contain HTTP clients that forward their requests).
Web single sign-on
Single authentication to multiple resources (applications, content, services, objects in applications). To achieve single sign-on, customers centralize the security for various resources, so that developers can reuse the centralized information and avoid having a different security scheme and user database associated with each application.
WebGate
An Oracle-provided out-of-the-box Web server plug-in access client that acts as the interface between individual Web servers and the Access Server. The WebGate intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. You can create a custom WebGate, known as an AccessGate, using the Access Manager SDK. See also AccessGate.
WebPass
This component is a plug-in that is placed on the web server to shuttle information back and forth between the web server and the Identity Server.
workflow
The automation of procedures where information or tasks are passed between participants and programs according to a defined set of business rules. Introduced into Identity applications to enable customers to automate their business processes.
workflow definition
The flow of responsibility, defined actions, and responsible individuals combined together to perform the process necessary to complete a workflow type.
workflow participant
All of the people, groups, roles, and so om that can take part in a workflow step, therefore receiving a ticket.
Workflow Services
Users and systems can submit requests that can go through multiple steps and be routed internally or externally. Customers can set workflow definitions for:
Creating, deleting, and modifying users, groups and organizations
Self registration of users and organizations
Subscribing to groups and unsubscribing
