4 Delegating Administration

Delegating administration allows a high-level administrator to grant responsibilities to other, more local administrators. This is useful in large organizations where it may be necessary to administer thousands or millions of users. With this release of Oracle Access Management, a System Administrator can delegate administration of Application Domains to other administrators. An Application Domain Administrator role has been developed towards the end.

The following topics provide an overview of delegating administration, such as determining what rights you want to grant to another user:

• Understanding Administrator Roles

• About Delegating the Identity Store

• Assigning Roles Using the Administration Console

• Understanding the Container Security Framework and MBeans

• Using the Remote Registration Utility

• About Auditing Reports

4.1 Understanding Administrator Roles

After you complete the installation, Access Manager has a set of pre-defined roles that you can assign to administrators, such as the Access Manager System Administrator.

See About Oracle Access Management Administrators.

You can assign the following to Access Manager system administrators:

• All Application and component policy objects (including Resources, Authentication Policies, Authorization Policies, and Token Issuance Policies)

• Shared components (including Authentication Schemes, Host Identifiers, and Resource Types)

• System configuration (including Common Configuration, Access Manager settings and Authentication Modules, Security Token Service Settings, Custom Tokens, Endpoints, Templates and Profiles, and Access Manager Agents and Security Token Service Partners)

• Agents and partners

A System Administrator can grant the rights to administer an Application Domain to an Application (Domain) Administrator. (A virtual Access Manager Administrator group is defined and mapped to the Application Administrator role.) An Application Administrator can further delegate the rights to administer one or more of their Application Domains to other Application Administrators. An Application Administrator can create and edit Resources, Authentication Policies and Authorization Policies. These rights are scoped to one or more Application Domains.

Note:

Only the System Administrator can assign roles to users; users cannot further delegate that role to others.

The System Administrator, Application Administrator and Help Desk Administrator roles are mutually exclusive; that is, a group or user can be assigned to only one such administrator role. However, the Application Administrator and Agent Administrator roles can be assigned to the same user or group.

Table 4-1 documents details about the pre-defined administrator roles.

Table 4-1 Roles for Delegating Administration

Role Name	Description
System Administrator	Access to entire Oracle Access Management Console including policy creation and system configuration; encompasses the privileges to manage all system configurations, policy objects, Access Manager Settings, Agents, Authentication Modules, Authentication Schemes, Host Identifiers, Resource Types, Federation Partners and Enterprise Single Sign-on policies. Additionally, Security Token Service Settings, Partners, Custom Tokens, Endpoints, Templates and Profiles can be managed. NOTE: The System Administrator does not support seamless failover. If one server goes offline, the System Administrator can re-login and continue on the other server(s) in the cluster.
Application Administrator	Access to policy creation and resources in the specified Application Domain. This role has access to the Application Registration Quick Wizard link.
Help Desk Administrator	Access to the Help Desk console.
Agent Administrator	Access to the Agent configuration pages. This role has access to the Agent Registration Quick Wizard link.
Authenticated User	Access to the Self Service Launch Pad and pages.

See Oracle Access Management Console and the Policy Manager Console.

See Understanding the Oracle Access Management Console.

4.2 About Delegating the Identity Store

The Access Manager System Identity Store is used to enforce authentication and authorization during the execution of administrative operations.

The LDAP Directory defined as the System Identity Store will contain all the administrators having access to the Administration Console. An administrator can define a new User Identity Store and select one of the existing profiles as the System Identity Store but only the System Administrator can modify the current System Identity Store or switch to a new one.

When migrating to a new Identity Store, if users from the new store are assigned Access Manager roles, those privileges become active and are enforced by Access Manager. The administrator will be responsible for removing any delegated administration privileges for the new Identity Store and the Access Manager Administrator group will be mapped to the Administrator role of the new identity store.

Note:

If the user currently logged in does not have the necessary administrator roles in the new system store, the Administration Console will log out or refresh so that it is compliant with the roles assigned to the current administrator.

4.3 Assigning Roles Using the Administration Console

The System Administrator can use the Oracle Access Management Console to assign roles to users or groups that cover specific Application Domains. Users can be assigned multiple roles as long as the functionality doesn't overlap.

For example, if user X is assigned Global Policy Administrator, the user cannot be granted Policy Administrator for the HR domain because the latter is a child of the former.

Note:

Roles can be assigned only to users or groups from the system/default store.

From a high level:

1. When delegating administration for a specific policy object or a set of policy objects, the delegator selects the item(s) and assigns the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) to it.
2. When delegating administration for all objects of a specific type, the delegator will select the user(s), group(s), LDAP Search Filter(s) or Domain System role(s) and grant the rights to administer the objects of that type to the selected. In this case, the administrator can't select objects for which administration is being delegated; the administrator will select a role that is granted to the appropriate delegatee with a specific right.

4.4 Understanding the Container Security Framework and MBeans

MBeans that enforce authentication and authorization using the container security framework are published using the Portable JMX Framework.

Types of MBeans:

• The Configuration Service MBeans are used for configuring the Certificate Validation Module, the STS Endpoints, Templates & Profiles, and the STS Settings & Custom Tokens.

• The Partner and Trust Store Service MBeans are used for managing the STS Partners.

At runtime, the JMX Framework will authenticate the client during the connection operation and ensure that the client belongs to the role specified in the MBean security annotations. Because of this, the Access Manager System Identity Store needs to be configured as an Authentication Provider in the security realm of the domain. Additionally, users accessing the MBeans will need to be assigned the following role depending on the container:

• WebLogic: Admin

• WebSphere: Admin or Configurator

4.5 Using the Remote Registration Utility

The Remote Registration Utility (RREG) is also governed by the roles assigned to the user invoking them. When using RREG to remotely register agents, the administrator provides credentials that allows the RREG client to successfully connect and authenticate to the RREG Access Manager Server, this in turn, propagates the client's identity to the Access Manager components that will enforce the appropriate administration roles.

The following might occur when running the RREG based on the administrator's role:

• In a creation operation:

  • A new agent entry can be provisioned.

  • A HostID for that Agent can be created.

  • An Application for that agent might be created.

  • Resources might be added to the new Application using the newly created HostID.

• In an update operation:

  • Agent settings can be changed.

  • A HostID for that agent can be changed.

  • An Application for that agent can be created if it does not exist.

  • Resources can be added to the Application.

The RREG administrator must be assigned roles to ensure successful completion of the administrative operations.

• The System Administrator role to create/update an Agent.

• The OAM Shared Component Administrator / System Administrator role to create/update an HostID entry.

• The OAM Domain Administrator role / System Administrator to create/update an Application and create/configure Resources.

After executing the RREG command, the administrator will be set as the delegated administrator for the created Application, Agent and HostID.

4.6 About Auditing Reports

Auditing becomes even more critical when administration has been delegated to several users. All policy object and system configuration operations performed by administrators through the Administration Console or programmatically are logged and informational reports can be generated.

See Introduction to Oracle Fusion Middleware Auditing.