Oracle® Application Server Security Guide
10g Release 2 (10.1.2) B13999-03 |
|
Previous |
Next |
This chapter discusses Oracle Application Server support for privilege delegation. It contains the following topics:
In an enterprise environment, you often deploy multiple applications against a shared infrastructure. For instance, you may have both your HR application and your sales application hosted in the same application server. These separate applications have separate administrators, but both depend on the security infrastructure supplied by the Oracle Internet Directory server.
Using the delegation model, a global administrator can delegate to realm administrators the privileges to create and manage the identity management realms for hosted companies. Realm administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.
To delegate the necessary privileges, you assign the user to the appropriate administrative group. For example, suppose that you store data for both enterprise users and the e-mail service in the directory, and need to specify a unique administrator for each set of data. To specify a user as the administrator of enterprise users, you assign that user to, say, the Enterprise User Administrators Group. To specify a user as the administrator of the e-mail services, you assign that user to, say, the E-mail Service Administrators Group.
As Figure 5-1 shows, in an Oracle Application Server environment the directory superuser creates:
The Oracle Context
The realm
The realm-specific Oracle Context
The entry for the realm administrator
The realm administrator, in turn, delegates administration of the Oracle Context to specific users by assigning those users to the Oracle Context Administrators Group. Oracle Context Administrators then delegate administration of the Oracle Application Server to one or more users by assigning them to the Oracle Application Server Administrators Group. These administrators install and administer Oracle Application Server components and delegate administration of user and group data to other administrators. The latter can, in turn, delegate others to administer user and group data.
Note: Oracle Internet Directory provides tools, including Oracle Delegated Administration Services, that can be used for privilege delegation. For details see the Oracle Internet Directory Administrator's Guide. |
If you are working in an existing Oracle Internet Directory, you must work with the Oracle Internet Directory administrator to ensure that you have the following privileges:
Administration privileges for Oracle Application Server. This enables you to install and configure Oracle Application Server components.
Privileges to delegate privileges to other users: This enables you to delegate privileges to application administrators (for example, the OracleAS Portal administrator).
To delegate administrative privileges, the Oracle Internet Directory super user does the following:
Creates an identity management realm
Identifies a special user in that realm, the realm administrator
Delegates all privileges to that realm administrator
This realm administrator, in turn, delegates certain privileges that Oracle components require to the Oracle defined roles—for example, Oracle Application Server administrators. The Oracle components receive these roles when they are deployed.
In addition to delegating privileges to roles specific to Oracle components, the realm administrator can also define roles specific to the deployment—for example, a role for help desk administrators—and grant privileges to those roles. These delegated administrators can, in turn, grant these roles to end users. In fact, because a majority of user management tasks involve self-service—like changing a phone number or specifying application-specific preferences—these privileges can be delegated to end users by both the realm administrator and Oracle component administrators.
In the case of a group, one or more owners—typically end users—can be identified. If they are granted the necessary administrative privileges, then these owners can manage the group by using Oracle Internet Directory Self-Service Console, Oracle Directory Manager, or command-line tools.
This release of Oracle Application Server provides fine-grained control over system administration and management privileges. Oracle Application Server supports a least privilege model that provides clear separation of duties.
The least privilege model allows developers to:
Delegate only the privileges necessary for installation and administration
Grant application administration permissions without making the application administrator an Oracle Internet Directory superuser
Separation of duties allows developers to:
Isolate application installation privileges from application administration privileges
Encapsulate privileges for each application, so that permission to deploy one component does not grant the right to deploy or administer other components
The privilege model supports the following user roles:
Oracle Application Server Installation Administrator
Responsible for installing and uninstalling applications. This administrative privilege is distinct from the next privilege, Oracle Application Server Application Administrator.
Oracle Application Server Application Administrator
Responsible for managing the roles and privileges used within an application.
Oracle Identity Management Infrastructure Administrator
Responsible for managing Oracle Internet Directory and other Identity Management technologies.
Oracle Application Server Application User
Has no responsibilities; runs the application and has only the permissions granted by the application.
Note: The same user may perform multiple roles. |
Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. For example:
When the Oracle Application Server Single Sign-On server authenticates a user, that server:
Connects to Oracle Internet Directory using its own identity
Verifies that the password entered by the user matches that user's password stored in the directory
To do this, the Oracle Application Server Single Sign-On server needs permission to compare user passwords. To set up the Oracle Application Server Single Sign-On cookie, it needs permission to read user attributes.
To grant access to a user, OracleAS Portal must retrieve that user's attributes. To do this, it logs in to Oracle Internet Directory as a proxy user, impersonating the user seeking access. It therefore needs the privileges of a proxy user.
In general, Oracle components can require these privileges:
Read and modify user passwords
Compare user passwords
Proxy on behalf of users accessing applications
Administer the Oracle Context where all Oracle components store their metadata
See Also: For a comprehensive discussion of privilege delegation, see the Oracle Internet Directory Administrator's Guide. |