Skip Headers
Oracle® Beehive Concepts
Release 1 (1.4)

Part Number E13794-02
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

7 Oracle Beehive Security Concepts

This module provides a high-level overview of the Oracle Beehive features and concepts related to several aspects of security, and includes the following topics:

Goals of Security in Oracle Beehive

In Oracle Beehive, security is a critical, and perhaps the most important, aspect of the system. Oracle Beehive provides a comprehensive approach to security that encompasses all levels of the system and that is designed to achieve the following goals:

Key Security-related Terms and Concepts in Oracle Beehive

This section provides an overview of fundamental terms related to security in Oracle Beehive, including:


Privileges are system-defined access rights to various functions within Oracle Beehive. Some privileges grant users access to services such as e-mail, instant messaging, and time management. Other privileges grant administrators access to auditing, user administration, and role management functions. By default, the system grants users privileges to a core set of functions encapsulated by roles.


Roles are predefined sets of privileges, or role definitions, that may be assigned to users and groups within team workspaces. Roles determine what privileges assignees may possess, such as the workspace features and content that users can or cannot access. Roles are convenient because they enable administrators and users to provide several different layers of privileges to heterogeneous user populations.

Roles may be assigned manually to specific users. Users and groups may also be associated with role definitions for specific scopes, such as a workspace. This is referred to as an assigned role.

Users may be assigned more than one role per team workspace. Typically, workspace coordinators are responsible for creating and assigning roles.

Authentication in Oracle Beehive

Authentication is the process of identifying a user for the purpose of granting or denying the user access to the system. Typically, authentication is achieved through verification of user-provided credentials, such as a username and password. Authentication is a prerequisite for other Oracle Beehive security measures, such as access control, authorization, and accountability.

Oracle Beehive supports and manages robust and stringent user authentication through the Authentication Service. The Authentication Service provides support for a variety of authentication providers, including local authentication providers, existing LDAP servers, and Web-based SSO providers. It also provides user-based authentication features such as automatic login and account lockout on repeated authentication failures.

Oracle Beehive also supports Simple Authentication and Security Layer (SASL), which is a method for adding authentication support to connection-based protocols. To use SASL, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If the use of SASL is successfully negotiated, then a security layer is inserted between the protocol and the connection.

Authorization and Access Control in Oracle Beehive

Authorization is the process of granting or denying a user access to services, features, and entities, such as artifacts. Authorization ensures that the system grants actors access to entities in compliance with the security policies defined for those entities. Access decisions are based on the authenticated identity and the privileges given to the requesting user.

Authorization is a superset of access control, which is the mechanism that grants or denies Oracle Beehive users the ability to perform various actions such as to create, view, modify, or delete entities. With Oracle Beehive, access control can be applied explicitly on entities through access control list (ACLs). For example, a user can specify that a particular piece of content (a text file) can only be viewed by a particular group of users, while it can be viewed, modified, and deleted by another group of users. Additionally, access control can be applied to users implicitly through the use of roles.

For more information, refer to one or more of the following related topics:

Access Control Lists (ACLs)

An ACL is a list of one or more access control entries (ACEs) that applies to a specific entity in Oracle Beehive and that defines who can access the entity and with what privileges. ACLs can also be used to explicitly deny certain users or groups access to entities.

Oracle Beehive supports the following types of ACLs:

Local ACLs (LACLs)

LACLs are unnamed access control lists that apply to individual entities. When an administrator or user specifies who can access an entity and how they may access it, Oracle Beehive creates a LACL and applies it to the entity.

Sensitivity ACLs

A sensitivity ACL (or sensitivity) is a named ACL that administrators and users can define and apply to entities within a given workspace. Sensitivities solve the usability problem of having too fine-grained control or not enough control. Common sensitivities include private, confidential, normal, and public.

A sensitivity can be applied to multiple entities in a workspace simultaneously, enabling users to group multiple entities into the same access control category. Oracle Beehive allows administrators and users to define and apply any number of sensitivities, although Oracle Beehive Integration for Outlook (OBIO) users may only apply existing sensitivities defined by users provisioned in Oracle Beehive.

Access Control Entries (ACEs)

An ACE is an entry in an ACL of an Oracle Beehive entity, such as a file, folder, workspace, or calendar. Each ACE contains the following values:

  • Accessor: The other entities, such as users or groups, whose access to an entity is explicitly defined.

  • Access type: The allowable methods for accessing an entity, such as read, write, discover, execute, and delete.

  • Access qualifier: Whether each defined accessor is granted or denied access to the entity for each supported access type.

Access Types

The access type is the component of an ACE that specifics how a user may access an object, if at all. An ACE can include one or more of the following access types:

  • Read

  • Write

  • Discover

  • Execute

  • Delete

Auditing in Oracle Beehive

Auditing is the act of capturing and evaluating historical records of system events to assess system performance, track user activities, and identify issues, among other goals. The results of effective auditing include timely and informed decisions and actions, especially when resolving security threats or preventing them from occurring.

Auditing user-, administrator-, and content-related activities is critical for compliance, security forensics, and legal discovery purposes in today's information technology-enabled environments. Moreover, auditing is no longer a matter of best practices. Increasingly, enterprises need to comply with regulatory measures and legal requirements to ensure that granular system use is reportable and presentable.

For these purposes, Oracle Beehive provides a robust and highly-configurable Audit Framework and its interface, the Audit Service. Combined, these components enable administrators to fulfill their organizations' regulatory compliance and legal requirements, and ensure the secure day-to-day operations of their Oracle Beehive deployments. Within this framework, administrators can monitor and trace a wide range of system events including user activities and changes to system configuration settings.

Anti-virus Support in Oracle Beehive

Computer-based viruses, especially those transmitted through e-mail messages, have long been a concern in any IT-enabled environment. Viruses negatively impact productivity, which can result in lost revenue for organizations. Therefore, it is critically important to prevent and eliminate viruses wherever and whenever possible.

To mitigate threats from viruses, Oracle Beehive provides the Oracle Beehive Virus Scanner. The Oracle Beehive Virus Scanner provides the following key features:

Administrators can manage the Virus Scanner through beectl. To manage supported third-party scanners, such as Symantec Scan Engine, administrators should leverage the tools provided with or for those products.

The Oracle Beehive Virus Scanner also provides the following features:

Scan Types and Modes in Oracle Beehive

Oracle Beehive supports the following scan types and modes, either natively in the Virus Scanner or by leveraging a third-party scanner such as Symantec Scan Engine:

Inline Scanning

Inline scanning refers to automatic scanning of artifacts, such as e-mail messages, at the time they are created or introduced to the system. That is, before they are accessible to users.

In-Place Scanning

In-place scanning refers to the scanning of artifacts on a file system that is accessible to Virus Scanner and a supported third-party scanner.

Streamed Scanning

Streamed scanning refers to the scanning of data that is streamed over a network to a supported third-party scanner. Typically, this type of scanning is performed in conjunction with inline scanning.

Quarantines and Other Virus Resolution Features

Oracle Beehive supports quarantines and other resolutions for artifacts that are found to contain viruses. For most artifacts, if the Oracle Beehive Virus Scanner discovers a virus, it quarantines the artifact. While quarantined, the artifact may be visible to users, that is, it may appear in search results or when a user browses its location. However, the system will deny read access to the artifact until the issue is resolved. Resolutions can include repairing the artifact by removing the virus, overwriting the artifact, or deleting the artifact from the system entirely.


Oracle Beehive handles infected e-mail messages in a different manner than other artifacts. If the Oracle Beehive Virus Scanner discovers an inbound e-mail message that is infected with a virus, it replaces the infected portion of the message with predefined text. Typically, the replacement text indicates to the recipient of the e-mail that the e-mail contained a virus, that the virus has been removed, and that the resulting e-mail message has been altered so that its original meaning may have changed.

For infected client applications, such as for mobile devices, Oracle Beehive provides additional measures that include blocking infected modules from being uploaded to or downloaded from the system. For example, if an administrator inadvertently attempts to upload an infected client application to the system, the Oracle Beehive Virus Scanner will block the attempt by aborting the procedure. Or, if a previously uploaded client application is later found to be infected, say after an administrator updates the system's virus definitions, then Oracle Beehive will lock the client application on the server and prevent users from downloading it to their mobile devices. During this time, the infected client application remains visible to administrators so that they can resolve the issue appropriately.


Administrators can configure the Oracle Beehive Virus Scanner for integration with external scan servers, such as Symantec Scan Engine, to filter artifacts. Filtering is essentially the ability to treat certain artifacts differently based on specific criteria, including:

  • File name

  • File or e-mail message size

  • E-mail subject line

  • E-mail origination, such as a specific domain or address

Deployment- and Network-level Security in Oracle Beehive

Oracle Beehive is built on top of proven and secure Oracle technologies, such as Oracle Database and Oracle Application Server, so it offers the highest levels of security.

The network architecture for Oracle Beehive allows information technology departments to set up multiple security zones. Typically, this consists of an intranet, a demilitarized zone (DMZ), and external networks such as the Internet. Each zone can be separated by firewalls that are configured to monitor other firewalls, so that if one firewall fails, another assumes its duties.

Oracle Beehive is designed to support the full range of secure deployment options. Security mechanisms in Oracle Beehive are aimed at ensuring that practical, real-world deployment constraints can be achieved easily to minimize security risks. These constraints may include the need to securely deploy Oracle Beehive in a DMZ, with other aspects of the system and especially Oracle Database, existing in the corporate intranet protected by firewalls and other security components and measures.

Policy-based Security in Oracle Beehive

A policy is a set of rules and associated actions that restricts or modifies system behavior based on specified events. Typically, policies are applied to events or collections of events. A policy dictates how Oracle Beehive should respond whenever an event occurs, such as the restrictions that apply to a particular user in a specific situation.

Policies can also trigger workflows, which are defined sets of approvals or actions that must be taken to complete events. Oracle Beehive policies and workflows ensure that the system or authorized users take the appropriate actions to securely fulfill business requirements.

Examples of security-based policies and workflows include the following:

Standards-based Security in Oracle Beehive

Oracle Beehive is built on Java 2 Platform Enterprise Edition (J2EE) and supports standards-based protocols, such as HTTP, and markup languages, such as HTML and XML. Oracle Beehive security features also support proven security-based open standards, such as Security Assertions Markup Language (SAML), secure Sockets Layer (SSL), Transport Layer Security (TLS), and X.509, to name a few. This support enables secure client-server communications, as well as service-to-service authentication, and facilitates interoperability with third-party products for added security measures.

User Account Security in Oracle Beehive

Oracle Beehive provides the following features related to the security of user accounts:

Mobile Device Security in Oracle Beehive

Oracle Beehive provides several security-based features that prevent malicious and unintentional actions through supported mobile devices, as well as the potentially negative consequences for those devices and the system itself.

Oracle Beehive's security-based features for mobile devices include the following:

Secure Communications Over HTTPS

By default, Oracle Beehive transmits and receives all communications between supported mobile devices and the system using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS). In fact, to transmit communications between devices and the system over less secure methods, such as HTTP, requires Oracle Beehive administrators to explicitly enable those connections, which Oracle does not recommend. Leveraging HTTPS ensures that transmissions of mobile e-mail messages and other confidential information are always encrypted and are, therefore, secure.

Authentication Requirements for Mobile Devices

Due to the portability of mobile devices and their potential for exposure to unauthorized users, especially through theft or loss, it is critical that they support reliable and secure authentication features. Typically, these features are designed for and implemented on mobile devices by mobile device manufacturers.

Oracle Beehive provides support for many common mobile device authentication methods, including SyncML MD5 authentication. However, this support depends on the methods that each mobile device manufacturer provides and the available options that your enterprise subsequently chooses. For example, in some cases, users may be required to provide their credentials for actions related to system connectivity only, such as logging in to Oracle Beehive or installing supported client updates. In other cases, users may be required to authenticate for all actions including whenever they power on their devices.

For more information on the authentication features supported by the mobile devices that your enterprise wants to deploy with Oracle Beehive, please refer to the documentation provided with those devices.

Clearing Data on Mobile Devices

Loss of mobile devices, especially through theft, is always a risk and concern for device owners and the IT departments. In cases where Windows-based mobile devices are lost, stolen, or must be deprovisioned, such as when an employee leaves a company, Oracle Beehive enables administrators to perform data wipes remotely, to clear all of the programs and data from the devices.

Blocking Mobile Devices

Oracle Beehive enables administrators to prevent individual mobile devices from accessing the system. Again, this can be very useful in cases where mobile devices are lost, stolen, or must be deprovisioned. To block a specific mobile device, an administrator only needs to specify the ID for the mobile device through the appropriate beectl command.

For example:

beectl add_blocked_device --device 123456