Skip Headers
Oracle® Application Server Security Guide
10g Release 2 (10.1.2)
B13999-03
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

5 Privilege Delegation

This chapter discusses Oracle Application Server support for privilege delegation. It contains the following topics:

5.1 Introduction

In an enterprise environment, you often deploy multiple applications against a shared infrastructure. For instance, you may have both your HR application and your sales application hosted in the same application server. These separate applications have separate administrators, but both depend on the security infrastructure supplied by the Oracle Internet Directory server.

5.1.1 How Delegation Works

Using the delegation model, a global administrator can delegate to realm administrators the privileges to create and manage the identity management realms for hosted companies. Realm administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.

To delegate the necessary privileges, you assign the user to the appropriate administrative group. For example, suppose that you store data for both enterprise users and the e-mail service in the directory, and need to specify a unique administrator for each set of data. To specify a user as the administrator of enterprise users, you assign that user to, say, the Enterprise User Administrators Group. To specify a user as the administrator of the e-mail services, you assign that user to, say, the E-mail Service Administrators Group.

5.2 Delegating Privileges

As Figure 5-1 shows, in an Oracle Application Server environment the directory superuser creates:

The realm administrator, in turn, delegates administration of the Oracle Context to specific users by assigning those users to the Oracle Context Administrators Group. Oracle Context Administrators then delegate administration of the Oracle Application Server to one or more users by assigning them to the Oracle Application Server Administrators Group. These administrators install and administer Oracle Application Server components and delegate administration of user and group data to other administrators. The latter can, in turn, delegate others to administer user and group data.


Note:

Oracle Internet Directory provides tools, including Oracle Delegated Administration Services, that can be used for privilege delegation. For details see the Oracle Internet Directory Administrator's Guide.

If you are working in an existing Oracle Internet Directory, you must work with the Oracle Internet Directory administrator to ensure that you have the following privileges:

Figure 5-1 Delegation Flow

Delegation Flow
Description of "Figure 5-1 Delegation Flow"

5.2.1 How Privileges Are Granted for Managing User and Group Data

To delegate administrative privileges, the Oracle Internet Directory super user does the following:

  1. Creates an identity management realm

  2. Identifies a special user in that realm, the realm administrator

  3. Delegates all privileges to that realm administrator

This realm administrator, in turn, delegates certain privileges that Oracle components require to the Oracle defined roles—for example, Oracle Application Server administrators. The Oracle components receive these roles when they are deployed.

In addition to delegating privileges to roles specific to Oracle components, the realm administrator can also define roles specific to the deployment—for example, a role for help desk administrators—and grant privileges to those roles. These delegated administrators can, in turn, grant these roles to end users. In fact, because a majority of user management tasks involve self-service—like changing a phone number or specifying application-specific preferences—these privileges can be delegated to end users by both the realm administrator and Oracle component administrators.

In the case of a group, one or more owners—typically end users—can be identified. If they are granted the necessary administrative privileges, then these owners can manage the group by using Oracle Internet Directory Self-Service Console, Oracle Directory Manager, or command-line tools.

5.3 Security Goals for Privilege Model

This release of Oracle Application Server provides fine-grained control over system administration and management privileges. Oracle Application Server supports a least privilege model that provides clear separation of duties.

The least privilege model allows developers to:

Separation of duties allows developers to:

5.4 Roles and Responsibilities

The privilege model supports the following user roles:

5.5 Delegation of Privileges for Component Runtime

Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. For example:

In general, Oracle components can require these privileges: