With this release of Oracle Access Manager, a System Administrator has the capability to delegate administration of Application Domains to other administrators. An Application Domain Administrator role has been developed towards this end.
This chapter contains details about delegating administration in the following sections.
Delegating administration allows a high-level administrator to grant responsibilities to other, more local administrators. This is useful in large organizations where it may be necessary to administer thousands or millions of users. When you delegate administration, you determine what rights you want to grant to another user.
A Super/System Administrator can grant the rights to administer an Application Domain to an Application Domain Adminstrator. An Application Domain Adminstrator can further delegate the rights to administer one or more of their Application Domains to other Application Domain Administrators. An Application Domain Administrator can create and edit Resources, Authentication Policies and Authorization Policies. These rights are scoped to one or more Application Domains.
Pre-defined, default roles are available after installing Access Manager. These administrative roles are hierarchical in nature with the parent (super) role having a super-set of privileges that can be assigned to child roles. The Access Manager System Administrator can administer the following:
All Application and component policy objects (including Resources, Authentication Policies, Authorization Policies, and Token Issuance Policies)
Shared components (including Authentication Schemes, Host Identifiers, and Resource Types)
System configuration (including Common Configuration, Access Manager settings and Authentication Modules, Security Token Service Settings, Custom Tokens, Endpoints, Templates and Profiles, and Access Manager Agents and Security Token Service Partners)
Agents and partners
System Administrators can delegate rights to administer one or more Application Domains to an Application Domain Adminstrator. An Application Domain Adminstrator can further delegate the rights to administer one or more of their Application Domains to other Application Domain Administrators.
Note:Only a Super or Global System Administrator can assign roles to users; users cannot further delegate that role to others.
Table 4-1 documents the default administrator roles.
Access to entire Oracle Access Management Console including policy creation and system configuration
Application Domain Administrator
Access to policy creation and resources in the specified Application Domain.
The Access Manager System Identity Store is used to enforce authentication and authorization during the execution of administrative operations. The LDAP Directory defined as the System Identity Store will contain all the administrators having access to the Administration Console. An administrator can define a new User Identity Store and select one of the existing profiles as the System Identity Store but only the System Administrator can modify the current System Identity Store or switch to a new one.
When migrating to a new Identity Store, if users from the new store are assigned Access Manager roles, those privileges become active and are enforced by Access Manager. The administrator will be responsible for removing any delegated administration privileges for the new Identity Store and the Access Manager Administrator group will be mapped to the Administrator role of the new identity store.
Note:If the user currently logged in does not have the necessary administrator roles in the new system store, the Administration Console will log out or refresh so that it is compliant with the roles assigned to the current administrator.
The System Administrator can use the Oracle Access Management Console to assign roles to users or groups that cover specific Application Domains. Users can be assigned multiple roles as long as the functionality doesn't overlap. For example, if user X is assigned Global Policy Administrator, the user cannot be granted Policy Administrator for the HR domain because the latter is a child of the former.
Note:Roles can be assigned only to users or groups from the system/default store.
From a high level:
When delegating administration for a specific policy object or a set of policy objects, the delegator selects the item(s) and assigns the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) to it.
When delegating administration for all objects of a specific type, the delegator will select the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) and grant the rights to administer the objects of that type to the selected. In this case, the administrator can't select objects for which administration is being delegated; the administrator will select a role that is granted to the appropriate delegatee with a specific right.
Note:Customers using Oracle Identity Manager (or Oracle Identity Manager XE) may want to define Enterprise Roles that are common to all of IDM and use OIM to assign users and groups to these Enterprise Roles. The Administration Console allows for this.
A virtual Access Manager Administrator group is defined and mapped to the Domain Administrator role. The Access Manager Administrator group will be assigned the Access Manager roles in the following list.
System Administrator encompasses the privileges to manage all system configurations and policy objects.
System Administrator encompasses the privileges to manage System Configuration, Common Configuration, Access Manager Settings, Agents, Authentication Modules, Authentication Schemes, Host Identifiers, Resource Types, Federation Partners and Enterprise Single Sign-on policies. Additionally, Security Token Service Settings, Partners, Custom Tokens, Endpoints, Templates and Profiles can be managed.
Application Domain Administrator encompasses the privileges to manage objects in an Application Domain.
The IDM Suite Navigator will define administrator roles that allow an administrator assigned with that role to perform similar administrative tasks in the different components of the IDM suite. For example, if the IDM Suite Navigator defines the IDM Suite Administrator role, an administrator assigned with that role would be granted with the following:
OAM System Administrator Role
OAAM Administrator Role
OIF Administrator Role
MBeans that enforce authentication and authorization using the container security framework are published using the Portable JMX Framework.
The Configuration Service MBeans are used for configuring the Certificate Validation Module, the STS Endpoints, Templates & Profiles, and the STS Settings & Custom Tokens.
The Partner and Trust Store Service MBeans are used for managing the STS Partners.
At runtime, the JMX Framework will authenticate the client during the connection operation and ensure that the client belongs to the role specified in the MBean security annotations. Because of this, the Access Manager System Identity Store needs to be configured as an Authentication Provider in the security realm of the domain. Additionally, users accessing the MBeans will need to be assigned the following role depending on the container:
WebSphere: Admin or Configurator
The Remote Registration Utility (RREG) is also governed by the roles assigned to the user invoking them. When using RREG to remotely register agents, the administrator provides credentials that allows the RREG client to successfully connect and authenticate to the RREG Access Manager Server; this, in turn, propagates the client's identity to the Access Manager components that will enforce the appropriate administration roles. The following might occur when running the RREG based on the administrator's role:
In a creation operation:
A new agent entry can be provisioned.
A HostID for that Agent can be created.
An Application for that agent might be created.
Resources might be added to the new Application using the newly created HostID.
In an update operation:
Agent settings can be changed.
A HostID for that agent can be changed.
An Application for that agent can be created if it does not exist.
Resources can be added to the Application.
The RREG administrator must be assigned roles to ensure successful completion of the administrative operations.
The System Administrator role to create/update an Agent.
The OAM Shared Component Administrator / System Administrator role to create/update an HostID entry.
The OAM Domain Administrator role / System Administrator to create/update an Application and create/configure Resources.
After executing the RREG command, the administrator will be set as the delegated administrator for the created Application, Agent and HostID.
Auditing becomes even more critical when administration has been delegated to several users. All policy object and system configuration operations performed by administrators through the Administration Console or programmatically are logged and informational reports can be generated. For more information, see Chapter 9, "Auditing Administrative and Run-time Events."