Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Identity Server 2004Q2 Technical Overview 

Chapter 2
Identity Management

Built upon Sun Java System Directory Server, Sun Java System Identity Server provides a means for creating and modifying directory entries and access policies. Together, a user’s directory entry and its associated policies form the user’s identity. This chapter explains how Directory Server and Identity Server work together to achieve consolidated identity management.

Topics in this chapter include the following:

Basic Directory Server Concepts

Directory Server provides a central repository for storing and managing information. Almost any kind of information can be stored, from identity profiles and access privileges to information about application and network resources, printers, network devices and manufactured parts. Identity Server connects to Directory Server and accesses the identity profiles and services information stored there. The information is stored in directory entries, and entries are grouped hierarchically in a directory tree.

Overview of the Directory Tree

The Directory Server directory tree, also known as a directory information tree or DIT, mirrors the tree model used by most file systems. The tree’s root, or first entry, appears at the top of the hierarchy. The root of the tree is called the root suffix. You can build on the default directory tree to add any data relevant to your directory installation.

When Identity Server is installed, if the same root suffix dc=example,dc=com is specified, then all user entries in the entire directory tree can be managed by Identity Server.

Figure 2-1  Sample Directory Tree

Sample directory tree for the corporation.

Directory Entries and the Base DN

Each user, service, and resource in the directory is represented by a directory entry. A directory entry stores parameter values which describe a user, service, or resource.

In LDAP, you can query an entry and request all entries below it in the directory tree. This subtree is called the base distinguished name, or base DN. For example, in the sample directory tree (Figure 2-1) when you use Identity Server to add a user to a group, Identity Server connects to Directory Server to find the user’s entry. On the back end, the LDAP search function requests entries specifying a base DN of ou=people,dc=example,dc=com. The search operation examines only the ou=people subtree in the dc=example,dc=com directory tree, and ignores the ou=services subtree.

Directory Server Schema

The predefined schema included with Directory Server contains both the standard LDAP attributes and object classes as well as additional application-specific schema to support the features of the server.

The directory tree mechanism is not well suited for associations between dispersed entries, for frequently changing organizations, or for data that is repeated in many entries. As a solution, groups and roles provide more flexible associations between entries, and class of service simplifies the management of data that is shared within branches of your directory. Identity Server schema leverages the attributes and object classes that come with Directory Server.

Static and Dynamic Groups

A group is an entry that specifies the other entries that are its members. When you know the name of a group, it is easy to retrieve all of its member entries.

The advantage of groups is that they make it easy to find all of their members. Static groups may simply be enumerated, and the filters in dynamic groups may simply be evaluated. The disadvantage of groups is that given an arbitrary entry, it is difficult to name all the groups of which it is a member.

Managed and Filtered Roles

Roles are an alternative entry grouping mechanism that automatically identifies all roles of which any entry is a member. When you retrieve an entry in the directory, you immediately know the roles to which it belongs. This overcomes the main disadvantage of the group mechanism.

How Identity Server Works with Directory Server

When you install Identity Server, it adds its own specialized object classes, roles, and services to the directory tree. These form an identity framework that enables you to use the Identity Server administration console to create and manage the directory entries in Directory Server.

Identity Server Objects Are Added to Directory

Identity Server directory objects extend the Directory Server schema. Since they are abstractions based upon Directory Server objects, Identity Server objects are similar—but not always identical—to Directory Server objects.


An Identity Server group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels, within an organization and within other managed groups such as a sub group. Users can be added to managed groups either statically or dynamically. You must manually add or delete each individual user to a static group; dynamic groups are formed automatically through the use of search filter.


A user represents the identity of a person.


A service is a group of attributes that are managed together by the Identity Server console. Identity Server services are discussed in greater detail in Chapter 4, "Services Management".


An Identity Server role, like a Directory Server role, is an entry mechanism similar to the concept of a group. Identity Server uses roles to apply access control instructions (ACIs). ACIs define who has access to specific directory entries. Identity Server roles are also used as policy subjects for the purpose of service inheritance. See Policy Configuration for related information.


Policies are similar to ACIs in the way they define access rules. But while ACIs describe who has access to directory entries, policies describe who has access to specific resources such as a server or a document stored on a server. Identity Server objects are added to a policy through the policy’s subject definition.


The container entry is used to group objects when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the Identity Server container entry and the Identity Server organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract Identity entries. Ideally, the organization entry will be used instead of the container entry.

People Containers

A People Container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People containers can be found at the organization level and at the people container level as a sub People Container. They can contain only other people containers and users.

Group Containers

A Group Container is used to manage groups. It can contain only groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups.

Delegated Administration and Self-Registration

When you install Identity Server, Identity Server automatically creates four administrator roles and adds them to the directory:

Access control instructions (ACIs) are associated with each administrator role. When you add a user, or member, to one of these pre-defined roles, the member is accorded the directory access privileges associated with the role. For example, users who are assigned to the Top-level Admin Role can access and modify all entries in the directory tree. A user who is a member of the Top-Level Help Desk Admin Role can search all entries, but can modify only the password information in each entry. A user who is a member of the Top-level Policy Admin role can modify only policy-related information in each entry. A user who is a member of the People Admin role has read and write access to all user-related information in each entry, but not policies.

The Identity Framework enables you to create additional administrator roles at the organization level and at the group level of the directory tree. In this way, the administration workload can be selectively distributed, or delegated, among a large number of administrators who have restricted access, rather than to just small number of omni-privileged administrators. This speeds up administration workflow.

Administration can also be delegated down to non-administrators. Users can access the Identity Server console via the HTTP and a browser. This makes it possible for non-administrators to gain restricted access to the company’s resources or applications without having to install a proprietary application. For example, a company can set up its online product catalog so that customers must register a username and password before accessing the catalog. Through self-registration, the customer can create his own account and password without any intervention by an administrator. This reduces the administrator workload.

Identity Management Interfaces

To bridge the gap between Directory Server object classes and Identity Server functionality, Identity Server provides the following interfaces:

Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.