Previous      Contents      Index      Next
Sun Java System Access Manager 6 2005Q1 Technical Overview

Chapter 2
Identity Management

Built upon Sun Java^™ System Directory Server, Sun Java System Access Manager 6 provides a means for creating and modifying directory entries and access policies. Together, a user’s directory entry and its associated policies form the user’s identity. This chapter explains how Directory Server and Access Manager work together to achieve consolidated identity management.

Topics in this chapter include the following:

Basic Directory Server Concepts
How Access Manager Works with Directory Server

---

Basic Directory Server Concepts

Directory Server provides a central repository for storing and managing information. Almost any kind of information can be stored, from identity profiles and access privileges to information about application and network resources, printers, network devices and manufactured parts. Access Manager connects to Directory Server and accesses the identity profiles and services information stored there. The information is stored in directory entries, and entries are grouped hierarchically in a directory tree.

Overview of the Directory Tree

The Directory Server directory tree, also known as a directory information tree or DIT, mirrors the tree model used by most file systems. The tree’s root, or first entry, appears at the top of the hierarchy. The root of the tree is called the root suffix. You can build on the default directory tree to add any data relevant to your directory installation.

When you install Access Manager, you are asked to name an Access Manager root suffix. The Access Manager root suffix identifies the part of the directory tree that is managed by Access Manager. The Access Manager root suffix can start beneath the root suffix of the directory tree, or it can replace the root suffix of the directory tree.

In Figure 2-1, the directory tree root suffix is dc=example,dc=com. Additional subtrees have been added to reflect an organizational hierarchy. In the example:

dc refers to the domain component of the enterprise
ou refers to an organizational unit or group to which an object belongs
uid refers to the string or name that Access Manager associates with a user object
cn refers to a common name given to a directory object; the name that is visible to end-users of an application

When Access Manager is installed, if the same root suffix dc=example,dc=com is specified, then all user entries in the entire directory tree can be managed by Access Manager.

Figure 2-1  Sample Directory Tree

Directory Entries and the Base DN

Each user, service, and resource in the directory is represented by a directory entry. A directory entry stores parameter values which describe a user, service, or resource.

In LDAP, you can query an entry and request all entries below it in the directory tree. This subtree is called the base distinguished name, or base DN. For example, in the sample directory tree (Figure 2-1) when you use Access Manager to add a user to a group, Access Manager connects to Directory Server to find the user’s entry. On the back end, the LDAP search function requests entries specifying a base DN of ou=people,dc=example,dc=com. The search operation examines only the ou=people subtree in the dc=example,dc=com directory tree, and ignores the ou=services subtree.

Directory Server Schema

The predefined schema included with Directory Server contains both the standard LDAP attributes and object classes as well as additional application-specific schema to support the features of the server.

The directory tree mechanism is not well suited for associations between dispersed entries, for frequently changing organizations, or for data that is repeated in many entries. As a solution, groups and roles provide more flexible associations between entries, and class of service simplifies the management of data that is shared within branches of your directory. Access Manager schema leverages the attributes and object classes that come with Directory Server.

Static and Dynamic Groups

A group is an entry that specifies the other entries that are its members. When you know the name of a group, it is easy to retrieve all of its member entries.

Static groups explicitly name their member entries. Static groups are suitable for groups with few members, such as the group of directory administrators.
Dynamic groups specify a filter, and all entries that match are members of the group. These groups are dynamic because membership is defined every time the filter is evaluated.
Access Manager groups are also used for defining policy subjects. See Policy Configuration for related information. Note that Access Manager groups are not used for services inheritance.

The advantage of groups is that they make it easy to find all of their members. Static groups may simply be enumerated, and the filters in dynamic groups may simply be evaluated. The disadvantage of groups is that given an arbitrary entry, it is difficult to name all the groups of which it is a member.

Managed and Filtered Roles

Roles are an alternative entry grouping mechanism that automatically identifies all roles of which any entry is a member. When you retrieve an entry in the directory, you immediately know the roles to which it belongs. This overcomes the main disadvantage of the group mechanism.

Managed roles are the equivalent of static groups, except that membership is defined in each member entry and not in the role definition entry.
Filtered roles are similar to dynamic groups. They define a filter that determines the members of the role.
In Directory Server, nested roles name other role definitions, including other nested roles. The set of members of a nested role is the union of all members of the roles it contains. However, it’s important to note that nested roles are not supported in the Access Manager administration console.

---

How Access Manager Works with Directory Server

When you install Access Manager, it adds its own specialized object classes, roles, and services to the directory tree. These form an identity framework that enables you to use the Access Manager administration console to create and manage the directory entries in Directory Server.

Access Manager Objects Are Added to Directory

Access Manager directory objects extend the Directory Server schema. Since they are abstractions based upon Directory Server objects, Access Manager objects are similar—but not always identical—to Directory Server objects.

Groups

An Access Manager group represents a collection of users with a common function, feature or interest. Typically, this grouping has no privileges associated with it. Groups can exist at two levels, within an organization and within other managed groups such as a sub group. Users can be added to managed groups either statically or dynamically. You must manually add or delete each individual user to a static group; dynamic groups are formed automatically through the use of search filter.

Users

A user represents the identity of a person.

Services

A service is a group of attributes that are managed together by the Access Manager console. Access Manager services are discussed in greater detail in Chapter 4, "Services Management".

Roles

An Access Manager role, like a Directory Server role, is an entry mechanism similar to the concept of a group. Identity Server uses roles to apply access control instructions (ACIs). ACIs define who has access to specific directory entries. Access Manager roles are also used as policy subjects for the purpose of service inheritance. See Policy Configuration for related information.

Policies

Policies are similar to ACIs in the way they define access rules. But while ACIs describe who has access to directory entries, policies describe who has access to specific resources such as a server or a document stored on a server. Access Manager objects are added to a policy through the policy’s subject definition.

Containers

The container entry is used to group objects when, due to object class and attribute differences, it is not possible to use an organization entry. It is important to remember that the Access Manager container entry and the Access Manager organization entry are not necessarily equivalent to the LDAP object classes organizationalUnit and organization. They are abstract Identity entries. Ideally, the organization entry will be used instead of the container entry.

People Containers

A People Container is the default LDAP organizational unit to which all users are assigned when they are created within an organization. People containers can be found at the organization level and at the people container level as a sub People Container. They can contain only other people containers and users.

Group Containers

A Group Container is used to manage groups. It can contain only groups and other group containers. The group container Groups is dynamically assigned as the parent entry for all managed groups.

Delegated Administration and Self-Registration

When you install Access Manager, Access Manager automatically creates four administrator roles and adds them to the directory:

Top-Level Admin Role
Top-level Help Desk Admin Role
Top-level Policy Admin Role
People Admin Role

Access control instructions (ACIs) are associated with each administrator role. When you add a user, or member, to one of these pre-defined roles, the member is accorded the directory access privileges associated with the role. For example, users who are assigned to the Top-level Admin Role can access and modify all entries in the directory tree. A user who is a member of the Top-Level Help Desk Admin Role can search all entries, but can modify only the password information in each entry. A user who is a member of the Top-level Policy Admin role can modify only policy-related information in each entry. A user who is a member of the People Admin role has read and write access to all user-related information in each entry, but not policies.

The Identity Framework enables you to create additional administrator roles at the organization level and at the group level of the directory tree. In this way, the administration workload can be selectively distributed, or delegated, among a large number of administrators who have restricted access, rather than to just small number of omni-privileged administrators. This speeds up administration workflow.

Administration can also be delegated down to non-administrators. Users can access the Access Manager console via the HTTP and a browser. This makes it possible for non-administrators to gain restricted access to the company’s resources or applications without having to install a proprietary application. For example, a company can set up its online product catalog so that customers must register a username and password before accessing the catalog. Through self-registration, the customer can create his own account and password without any intervention by an administrator. This reduces the administrator workload.

Identity Management Interfaces

To bridge the gap between Directory Server object classes and Access Manager functionality, Access Manager provides the following interfaces:

ums.xml

This file defines a set of templates that contain configuration information needed to set up each identity-related object created with Access Manager as an LDAP entry in the Directory Server data store.

Identity Management Software Development Kit (SDK)

The SDK is used to integrate the management functions of Access Manager into external applications or services.

Access Manager console

When you modify a user entry using the Access Manager console, the modification is automatically made in the Directory Server.

Previous      Contents      Index      Next

---

Part No: 817-7643-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.