Collections Configuration Center Security

13 Collections Configuration Center Security

Learn how to install and implement Oracle Communications Collections Configuration Center and its components in a secure configuration.

Topics in this document:

About Installing Collections Configuration Center

Before installing Collections Configuration Center, ensure that Java, Oracle Identity and Access Management components, and Oracle Communications Billing and Revenue Management (BRM) REST Services Manager are installed and configured.

For installation instructions, including all required products and related tasks, such as setting up KeyStores and SSL, see Collections Configuration Center Installation Guide.

About Implementing Collections Configuration Center Security

Collections Configuration Center adheres to strict authorization and authentication requirements. This section outlines how to implement its supported security features.

Note:

This section provides information specific to implementations that use Oracle Identity Cloud Service (IDCS). You can use another OpenID Connect (OIDC) provider. If you do, consult your provider's documentation for implementation information.

Topics in this section:

About Identity and Access Management

To authenticate users when they log in and to control user access to functionality, Collections Configuration Center uses the following Oracle Identity and Access Management components in a production environment:

Oracle Identity Cloud Service (IDCS)
BRM REST Services Manager for authentication and authorization enforcement

These components are required for a Collections Configuration Center implementation.

For more information, see the following documentation:

About Authentication

Authentication verifies a user’s identity. The authentication scheme used by Collections Configuration Center is designed for environments where a central user identity repository, containing all enterprise users, authenticates sign-in requests.

Collections Configuration Center supports Single sign-on (SSO).

About Authorization

Authorization grants users privileges (entitlements) appropriate for their job functions while denying access to other functionality. BRM REST Services Manager handles authorization for Collections Configuration Center. Users without entitlements are denied access to Collections Configuration Center. For information about the default roles available, see "About Roles for Accessing Collections Configuration Center Functions".

Storing Collections Configuration Center Passwords in Oracle Wallet

By default, the Collections Configuration Center installer stores sensitive information, such as passwords, in the Oracle wallet. The Collections Configuration Center application retrieves these passwords from the wallet. If passwords are also stored in configuration files, the application retrieves them from configuration files by default.

When retrieving passwords from configuration files, the application automatically decrypts them.

Typically, passwords in configuration files are encrypted by using the Oracle ZT PKI format. For more information, see "Encrypting Data" in BRM Developer's Guide.

Note:

To encrypt passwords associated with customizations, use the pin_crypt_app utility. For more details, see "About Encrypting Passwords" in BRM Developer's Guide.

Setting Up OAuth with Oracle Identity Cloud Service

Collections Configuration Center uses the OAuth 2.0 protocol to authenticate a user's identity and to authorize the user to access its features. Authentication is handled through BRM REST Services Manager.

To set up authentication and authorization for your client, you must use Oracle Identity Cloud Service to perform the following high-level steps::

Creating Roles (Groups)

Users are granted access to the Collections Configuration Center through Oracle Identity Cloud Service groups. To grant users access, you first create the groups in Identity Cloud Service as described below and then assign users to those groups as described in "Assigning Users to Groups".

The sample groups (roles) are Billing Viewer, CreateAccess, DeleteAccess, and UpdateAccess. You can create additional roles according to your business requirements. If you create new roles, you must configure those roles to have access to endpoints. See "Assigning Roles to Application Functions" for more information.

To create a group in Identity Cloud Service:

In the Identity Cloud Service console, expand the Navigation Drawer and then click Identity & Security.
Click Domains and select your identity domain,
Click User management, scroll down to the Groups section, and click Create group.
In the Add Group dialog box, in the Name field, enter the name of the new group. If you are using the default configuration, create the Billing Viewer, CreateAccess, DeleteAccess, and UpdateAccess groups. If you are using custom groups, ensure that you create all of them.
Click Create.

Assigning Users to Groups

You can assign users to either the default groups or to any custom groups you create.

To assign users to the appropriate group for accessing Collections Configuration Center:

In the Identity Cloud Service console, expand the Navigation Drawer and then click Identity & Security.
Click Domains and select your identity domain.
Click User management and scroll down to the Users section.
Select a user that needs access to Collections Configuration Center.
In the user's page, select Groups at the top.
In the Groups page, click Assign user to group.
In the Assign Groups dialog box, select all groups the user should belong to. For more information about the default groups, see "About Roles for Accessing Collections Configuration Center Functions".
Click Assign User.

Assigning Roles to Application Functions

Users are granted access to Collections Configuration Center through Oracle Identity Cloud Service groups. You then assign group to endpoints in the authorization-policy.yaml file. You do not need to change this file if you use only the default roles. See "About Roles for Accessing Collections Configuration Center Functions" for information about the default roles.

To change the assignment of roles to the application functions:

Edit the BRM_home/scripts/authorization-policy.yaml file.

The paths and endpoints are listed in the file. For example:
```
- path: "/brm/collections/configuration/v5/aging-bucket[{*}]"
  sockets: [ ]
  methods: [ "post" ]
  action: createAgingBucket
  abac:
    policy-validator:
      statement: "${(inRole(user, 'CreateAccess') && inRole(user, 'Billing Viewer'))}"
```
In the statement above, to create an aging bucket, a user must belong to both CreateAccess and Billing Viewer groups.
Locate the application functions that you want to change and update them with your new logic. You can use the following operators:
- || (OR)
- && (AND)
- ! (NOT)
- == (equals)
- != (not equal)
Save and close the authorization-policy.yaml file.
Restart BRM REST Services Manager.

Encoding the Client ID and Client Secret in Base64 Format

Before you can request an OAuth access token, you must encode your client ID and client secret in Base64 format. Generate a Base64-encoded value of your client ID and client secret joined by a single colon (ClientID:ClientSecret).

You pass the Base64-encoded value in the header of your HTTP/HTTPS request for an OAuth access token.

About Roles for Accessing Collections Configuration Center Functions

Table 13-1 lists the roles (groups) provided by default to control access to Collections Configuration Center functions. You can add custom roles as needed.

Table 13-1 Roles for Collections Configuration Center

Role Name	Description
Billing Viewer	This role allows users to view information in the UI. By default, it is also required, in addition to other roles, for access to other functions.
CreateAccess	This role allows users to create objects in the UI.
DeleteAccess	This role allows users to delete objects in the UI.
UpdateAccess	This role allows users to update objects in the UI.