Skip Headers
Oracle® Access Manager Access Administration Guide
10g (

Part Number B25990-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

1 Overview of Access System Configuration and Administration

This chapter provides an overview for people who are new to Access System setup and administration.

This chapter assumes you have at least a little familiarity with the purpose of Oracle Access Manager and the Identity System. For references to these topics, see the "Preface".

This chapter discusses the following topics:

1.1 About the Access System

The Access System provides centralized authentication, authorization, and auditing to enable single sign-on and secure access control across enterprise resources. You use the Access System to set up security policies that control access to resources. Resources include Web content, applications, services, and objects in applications, and similar types of data in non-Web (non-HTTP) resources.

The Access System stores information about configuration settings and access policies in a directory server that uses Oracle Access Manager-specific object classes. You can use the same directory to store the Access System configuration settings, access policy data, and the Identity System user data, or this data can be stored on separate directory servers.

1.2 Access System Components

The Access System consists of the following components:

Policy Manager

The Policy Manager is installed on a Web server in the same directory as the Identity System component WebPass. See the Oracle Access Manager Introduction manual for an illustration that shows the location of WebPass. The Policy Manager provides a login interface to the Access System. Master Access Administrators and Delegated Access Administrators use the Policy Manager to define resources to be protected, and to group resources into policy domains. A policy domain consists of resource types to protect, rules for protection, policies for protection, and administrative rights.

The Policy Manager has a component called the Access System Console, that permits administrators to add, change, and remove Access Clients and Access Servers, configure authentication and authorization schemes, configure master audit settings, and configure host identifiers.

You do not need to configure the Policy Manager application user interface the way you do the Identity System applications.

Access Server

The Access Server is a standalone server, or several instances, that provide authentication, authorization, and auditing services. The Access Server validates credentials, authorizes users, and manages user sessions. The Access Server receives requests from an Access Client and queries authentication, authorization, and auditing rules in the directory server as follows:


The WebGate is an out-of-the-box Access Client for HTTP-based resources. WebGate is an NSAPI or ISAPI plug-in that intercepts HTTP requests for Web resources and forwards them to the Access Server.

The Access System supports single sign-on, enabling you to establish login policies that allow users to access multiple applications with a single login.

1.3 Review of Access System Installation and Setup

During installation and setup, the following Access System configuration tasks are completed:

Table 1-1 provides a review of Access System installation and setup, which is described in detail in the Oracle Access Manager Installation Guide.

Table 1-1 Overview of Access System Installation and Setup

To perform this task Read

Install the Policy Manager

Oracle Access Manager Installation Guide

Set up the Policy Manager

Oracle Access Manager Installation Guide

Install the Access Server

Oracle Access Manager Installation Guide

Install a WebGate

Oracle Access Manager Installation Guide

1.4 About Configuring Resources and Rules for Who Can Access Them

The Access System enables you to control who is allowed to access data. You can create access policies that extend beyond the Identity System applications. For example, if you have an online benefits system, you can configure access policies that only permit employees to view portions of the benefits Web site that are relevant to them. Or you can configure access policies so that external customers are allowed to see your inventory Web pages but not other corporate information.

Table 1-2 provides an overview of configuring the Access System.

Table 1-2 Overview of Access System Policy-Related Configuration

Perform this task Description Read

Enter host IDs

Map host name variations to a single Web server instance. This ensures that the Access System can process variations in information that it receives when users request resources.

"Using Host Identifiers"

Create a policy domain and define resources to protect

A resource is something you want to protect, such as a Web page, plus the actions applied to that item, for instance, an update.

A policy domain is a logical set of resources identified by fully qualified path names or URLs that you want to protect, plus the rules for protection, policies for protection, and administrative rights.

"Protecting Resources with Policy Domains"

Create policies for URL patterns

Default rules apply blanket coverage for all of the URLs in a policy domain.

You can, however, specify individual policies with their own authorization, authentication, and auditing rules for URL patterns and functions such as HTTP get, put, and so on.

"About Policy Domains and Their Policies"

Create an authentication scheme

Validate the identities of people who want to access your resources. Define the method of authentication (for instance, x.509 certificates), the plug-in used to map authentication credentials to a user's identity in the directory, and mapping to the user's DN in the directory.

"Configuring User Authentication"

Create an authorization scheme

Determine if people with valid credentials are permitted (authorized) to access particular resources, and possibly perform additional actions depending on the authorization rules.

"Configuring User Authorization"

Create a master audit rule

The Access System must have a Master Audit Rule to begin adding data to the audit log file.

The audit log file records administrative events such as clearing data from caches.

"About the Master Audit Rule".

Configure single sign-on

Single sign-on allows users to authenticate to multiple applications with one login.

"Configuring Single Sign-On"

Create a shared secret

The shared secret is used to generate the key that encrypts cookies sent between the WebGate and the user's browser.

"Creating a Shared Secret Key"


Note that before you define your policy domains and policies you may want to have already defined a few Access Administrators and configured at least one Access Server and WebGate, as mentioned in Table 1-3.

1.5 About Configuring and Managing the Access System Components

You configure the Access System by defining people who can serve as administrators, adding system components such as Access Servers and AccessGates, and setting basic system parameters.

You also manage the Access System by adding more servers, by defining caching parameters, and by extending your access policies using custom plug-ins. Table 1-3 provides an overview of managing the Access System.

Table 1-3 Overview of Managing the Access System

To perform this task Read

Configure Access Administrators

"Configuring Access Administrators and Server Settings"

Configure server settings

"Configuring Access Administrators and Server Settings"

Configure AccessGates and Access Servers

"Configuring WebGates and Access Servers"

Add Access Servers

Oracle Access Manager Installation Guide. To ease this process, you may choose to add more Access Servers using silent installation or cloning, as described in the Oracle Access Manager Installation Guide.

Install Access Manager SDK

Oracle Access Manager Developer Guide

Add non-HTTP access clients

Oracle Access Manager Developer Guide

Manage caching

Oracle Access Manager Deployment Guide