This chapter includes the following sections:
Accounts are considered "privileged," if they can access sensitive data, can grant access to sensitive data, or can both access and grant access to that data. Privileged accounts are your company's most powerful accounts and they are frequently shared.
Accounts become candidates for management via Oracle Privileged Account Manager if they are associated with elevated privileges, are used by multiple end-users on a task-by-task basis, and must be controlled and audited.
For example, these accounts require security and may fall under compliance regulations:
UNIX root, Windows administrator, and Oracle Database SYSDBA system accounts
Application accounts, such as the database user accounts used by an application server when it connects to a Human Resources application
Traditional shared and elevated privilege user accounts, such as system administrators and database administrators
Administrators determine which accounts are privileged within a particular deployment, and they must configure Oracle Privileged Account Manager to manage those accounts.
While Oracle Privileged Account Manager most commonly manages shared and elevated privileged accounts, administrators can also use it to manage passwords for any type of account. For example, if an employee is on extended leave and you have a business reason for allowing another employee to access the system using that person's email account, Oracle Privileged Account Manager can manage that privilege.
Oracle Privileged Account Manager enables you to administer and provide better security for privileged accounts and passwords that are traditionally difficult to manage for several reasons.
First, privileged accounts generally have more access rights than a regular user's account. Because these accounts are not typically associated with one specific employee, they are often difficult to audit with existing tools and processes. Consequently, when employees leave the company, they might retain privileged account passwords that are still in use, which is a very serious compliance and security issue.
Finally, you typically do not want to store passwords in a central or well-known location, such as an external repository (like LDAP) or in application configuration files, because you cannot control access to those passwords.
Oracle Privileged Account Manager delivers a complete solution for securely managing privileged accounts and passwords because it provides
Interactive, policy-based account and session checkout and check-in
Oracle Privileged Account Manager requires all authorized users to check out an account before using it, and then to check that account back in when they are finished with it. Oracle Privileged Account Manager audits account check outs and check ins by tracking the real identity (the person's name) of every shared administrator user at any given moment in time. By using this information, Oracle Privileged Account Manager can provide a complete audit trail that shows who accessed what, when, and where.
In addition, Oracle Privileged Session Manager (Session Manager) enables administrators to monitor and control which activities users can perform during a session. Users are never allowed direct access to resources or to privileged credentials.
Oracle Privileged Account Manager modifies passwords when they are checked out and checked in (when configured to do so). Consequently, when a user checks out a password and then subsequently checks it back in, that user can no longer use the previously checked out password.
In addition, Oracle Privileged Account Manager can change application privileged account passwords at specified intervals, such as every 90 days, with no changes to those applications and Oracle Privileged Account Manager synchronizes those passwords on the target systems. For example, Oracle Privileged Account Manager can update service and scheduled task credentials.
User management, group management, and workflow capabilities (by integrating with Oracle Identity Manager)
Because Oracle Privileged Account Manager seamlessly integrates with Oracle Identity Manager, Oracle Privileged Account Manager can use this Oracle Identity Management product to manage the users and groups that are associated with a company's privileged accounts. In addition, through the request-level approval workflows, operational-level approval workflows, and provisioning workflows of Oracle Identity Manager, you can configure Oracle Privileged Account Manager so that only the appropriate groups and users have access to privileged accounts.
Oracle Privileged Account Manager's key features include:
Multiple access points, including
Oracle Privileged Account Manager's web-based user interface (called the Console)
Two interfaces are associated with the Console:
Administrator: Oracle Privileged Account Manager administrators use this interface to create and manage policies, targets, accounts, grants, and reports.
Self-Service: Oracle Privileged Account Manager end users use this interface to search for, view, check out, and check in accounts.
Refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console" for more information.
Oracle Privileged Account Manager's command line tool (CLI)
You can use the CLI to perform many of the same tasks you perform from the Console. For example, you can use the CLI to check out and check in accounts or to create and manage policies, targets, accounts, and grants.
Refer to Appendix A, "Working with the Command Line Tool" for more information.
Oracle Privileged Account Manager uses RESTful APIs to expose internal functionality to applications and scripts. These APIs also provide the integration point to be leveraged by third parties that want to integrate with Oracle Privileged Account Manager functionality.
These APIs are considered to be RESTful because they conform to Representative State Transfer (REST) standards.
Refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for more information.
Oracle Platform Security Services (OPSS) Trust Service to authenticate and propagate identities from the Oracle Privileged Account Manager user interface to the Oracle Privileged Account Manager server
In addition, because ICF is an open standard, you can write your own connectors against other types of targets for which Oracle has not yet created an ICF connector.
For more information about ICF and about developing your own connector, refer to "Understanding the Identity Connector Framework" and "Developing Identity Connectors Using Java" or "Developing Identity Connectors Using .Net" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Ability to manage and audit privileged sessions to the target system
Session Manager creates a single access point to target resources, which enables administrators to easily control and monitor all the activities within the privileged session.
Session Manager also maintains historical records (transcripts) to support forensic analysis and audit data.
Support for multiple target types; including
UNIX and Linux operating systems
Oracle, MSSQL, MySQL and Sybase databases
LDAP v3-compliant directories
Advanced reporting capabilities
Oracle Privileged Account Manager's out-of-the box audit reports are integrated with Oracle Business Intelligence Publisher 11g (BI Publisher) so you know who is using your privileged accounts. BI Publisher also enables you to create and manage formatted reports from different data sources.
Events related to privileged account access roll up into Oracle Identity Manager and Oracle Identity Analytics for audit and attestation.
Policy-driven access to privileged accounts
In Oracle Privileged Account Manager, there are two types of policies for granting access to privileged accounts:
Password Policy: This policy type captures the password construction rules enforced by a specific target on an associated privileged account. For example, you can specify the minimum and maximum number of numeric characters for a password for an account. In addition, you use a password policy to create a password value that Oracle Privileged Account Manager uses to reset a password for a privileged account.
Usage Policy: This policy type defines when and how often a user or group can access a privileged account.
If you do not specify a time interval by using a Usage Policy, the user or group can access the privileged account at any time (24x7).
An attended account is an account assigned to a particular group or user.
For example, Oracle Privileged Account Manager uses an unattended account, called the OPAM service account, to connect to and manage target systems. This account performs all Oracle Privileged Account Manager-related operations (such as discovering accounts, resetting passwords, and so forth) on the target system, which is why the OPAM service account (service account) must have some special privileges and properties.
Oracle Privileged Account Manager can also manage other kinds of unmanaged accounts, such as an application account or a service account with CSF mappings that enable applications to pick up a password at run-time by using CSF.
You must never use the same account as a service account and a privileged account to be managed by Oracle Privileged Account Manager.
For more information about working with service accounts in Oracle Privileged Account Manager, refer to Section 7, "Working with Service Accounts."
In addition to the functionality described in Section 1.2, "Why Use Oracle Privileged Account Manager?," Oracle Privileged Account Manager
Associates privileged accounts with targets
Grants users and roles access to privileged accounts, and removes that access
Provides an extensible plug--in framework that enables you to use Oracle or third-party plug-ins to perform operations such as custom notifications, extended usage policies, and custom logic to synchronize passwords with external repositories
Provides role-based access to accounts maintained in the Oracle Privileged Account Manager accounts request system
Provides password check out and check in, as well as session checkout to control access to accounts
Provides "over-the-shoulder" session management by enabling administrators to
Control session initiation
Control sessions through policy-based and administrator-initiated session termination and lockout
Monitor and audit sessions
Client-certificate authentication is using an SSL certificate to perform authentication (in lieu of a password) against an Oracle Privileged Account Manager server.
Resets passwords to a random value on check in and check out by default
You can configure Oracle Privileged Account Manager to automatically check in privileged accounts after a specified time to protect against users who check out that privileged account and do not bother to explicitly check in the account.
You can also constrain how long users can check out a privileged account.
Manages password resets on supported targets
Makes authorization decisions to determine
Which targets, privileged accounts, and policies are exposed to an end user or administrator
Which operations (such as add, modify, check-in, and checkout) end users and administrators can perform
Associates policies with privileged accounts
Performs and supports Create, Read, Update, Delete, and Search (CRUDS) operations on targets, privileged accounts, and policies
This core functionality is exposed through Oracle Privileged Account Manager's RESTful APIs. Check-ins, checkouts, and so forth are also supported through the RESTful interface.
Uses Oracle's common auditing, logging, and reporting to monitor and report access
With Oracle Privileged Account Manager, you can use the auditing, logging, and reporting capabilities of Oracle Fusion Middleware Control and Oracle BI Publisher to monitor and report access that users and groups have to privileged accounts.
Offers multiple high availability capabilities
As you examine this figure, it is important to note the following points:
Oracle Privileged Account Manager provides a web-based user interface (known as the Console) and an Oracle Privileged Account Manager command line tool (CLI). Both interfaces are essentially clients of the Oracle Privileged Account Manager server.
However, third parties can write their own clients, such as custom applications, by leveraging the open RESTful service. For more information, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."
Session Manager is an Oracle Privileged Account Manager subcomponent that empowers Oracle Privileged Account Manager's session management capabilities. Session Manager is a J2EE application that interacts with the Oracle Privileged Account Manager Server through the Oracle Privileged Account Manager RESTful interfaces and shares the same database that is used by the Oracle Privileged Account Manager Server. In addition, the Session Manager listens and responds to SSH traffic to establish privileged sessions against SSH-capable Oracle Privileged Account Manager targets.
Refer to "WebLogic Security Service Architecture" in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server for more information about JAAS support in Oracle WebLogic Server (WebLogic).
For more information about Oracle Privileged Account Manager authentication, refer to Section 2.2, "Understanding Oracle Privileged Account Manager Authentication."
All communication with, and between, Oracle Privileged Account Manager-related components (including Oracle Privileged Account Manager's Console, command-line interface, and server) occurs over SSL In addition, Oracle Privileged Account Manager's RESTful interfaces are exposed over SSL.
Oracle Privileged Account Manager relies on and transparently uses the identity store, Policy Store, and credential store configured for the WebLogic domain in which Oracle Privileged Account Manager is deployed. (Because the Policy Store and credential store are implicitly part of the WebLogic domain, they are not depicted in this diagram.)
The identity store is the centralized repository for Oracle Privileged Account Manager users and groups.
Refer to Section 1.3, "How Oracle Privileged Account Manager is Deployed in Oracle Fusion Middleware" for more information.
The Oracle Privileged Account Manager Console leverages, and is rendered by, Oracle Application Development Framework (ADF).
For more information about ADF, refer to the following website:
Oracle Privileged Account Manager connects to targets by using Identity Connector Framework (ICF) connectors. As shown in Figure 1-1, Oracle Privileged Account Manager uses the following connectors, which are constructed by using the ICF:
Generic Database User Management connector: Connects to Oracle, MSSQL, Sybase, MySQL databases.
Generic Unix connector: Connects to any UNIX system.
Generic LDAP connector: Connects to LDAP targets (such as Oracle Internet Directory, Oracle Universal Directory, and Active Directory).
For additional information, refer to "Understanding the Identity Connector Framework" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in How Oracle Privileged Account Manager is Deployed in Oracle Fusion Middleware" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.
As you examine this figure, note the following points:
All components are deployed within a single WebLogic domain.
Oracle Privileged Account Manager stores its application data in the Oracle Privileged Account Manager database. In addition, the Oracle Privileged Account Manager schema is created in this database via the Oracle Repository Creation Utility.
Oracle Privileged Session Manager relies on the Oracle Privileged Account Manager Database for persistence and communicates with Oracle Privileged Account Manager through its RESTful interfaces.
Oracle Privileged Account Manager's web-based user interface (the Console) is deployed in the Oracle WebLogic Server Managed Server, along with the Oracle Privileged Account Manager Server and the Session Manager.
The Console communicates with the Oracle Privileged Account Manager Server. This server is created as a server that is managed by the Oracle WebLogic Server Managed Server (or Managed Server).
The OPSS identity store and the OPSS security store (which includes the Policy Store and credential store) are WebLogic domain-wide constructs, so there is one of each per domain. (Because the OPSS security store is implicitly part of the WebLogic domain, it is not depicted in this diagram.)
Oracle Privileged Account Manager simply works with what is configured for that domain. You are not required to use an Oracle Privileged Account Manager-specific configuration to use these constructs and services. In addition, Oracle Privileged Account Manager abstracts out the use of these constructs and services so that you do not have to understand what goes on "under the covers" in great detail.
The OPSS identity store can point to the LDAP embedded in WebLogic (out of the box) or to an external LDAP server.
Refer to "Configuring the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide for configuration instructions.
For information about managing the Policy Store and the credential store, refer to "Managing the Policy Store" and "Managing the Credential Store" in the Oracle Fusion Middleware Application Security Guide.
Before you start working with the different Oracle Privileged Account Manager entities, you should understand how those entities relate to each other. Figure 1-3 illustrates this relationship.
An Oracle Privileged Account Manager Password Policy can apply on both a target or a privileged account. When applied on a privileged account, that account's password construction (its complexity) and lifecycle (how often it changes) is governed by the effective Oracle Privileged Account Manager Password Policy. Similarly, when applied on a target, the target's service account is governed by the Oracle Privileged Account Manager Password Policy.
Targets are software systems that contain one or more privileged accounts.
A Usage Policy applies on a grant and it controls when and how grantees can use a privileged account. For example, you can configure a Usage Policy to control when a user's access to an account will expire.
Users and groups (roles) are maintained in the Oracle Privileged Account Manager identity store. These users and groups can only access a privileged account through a grant. If a user or group member tries to access a privileged account, and Oracle Privileged Account Manager finds a grant, then the grantee is allowed to access the account based on that grant and its associated Usage Policy.