Skip Headers
Oracle® Identity Management Concepts and Deployment Planning Guide
10g Release 2 (10.1.2)
B14084-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

4 Oracle Identity Management Administration and Usage

This chapter describes how to administer and use the Oracle Identity Management infrastructure, including administering users with Oracle Delegated Administration Services, as well as considerations for administering the infrastructure itself.

Considerations for supporting Oracle and third-party application deployments with the Oracle Identity Management infrastructure are also described.

This chapter contains the following topics:

4.1 Administering Oracle Identity Management Infrastructure

After a successful deployment, there are a number administrative tasks involved in managing the Oracle Identity Management infrastructure, including routine monitoring, managing individual components of, and managing enterprise data within the Oracle Identity Management infrastructure.

This section contains the following topics:

4.1.1 Routine Monitoring of the Oracle Identity Management Infrastructure

Table 4-1 describes the various tasks, tools, and references necessary to perform routine monitoring of the Oracle Identity Management infrastructure.

Table 4-1 Routine Monitoring Tasks

Task Tools Additional References

Monitoring the status and performance of the Oracle Internet Directory server

  • Application Server Control

  • LDAP command-line tools

Oracle Internet Directory Administrator's Guide


Monitoring the status of Oracle Directory Integration and Provisioning

Application Server Control

Oracle Identity Management Integration Guide


Monitoring the status of Oracle Delegated Administration Services

Application Server Control

Oracle Identity Management Guide to Delegated Administration


Monitoring the status of OracleAS Single Sign-On

Application Server Control

Oracle Application Server Single Sign-On Administrator's Guide



4.1.2 Managing Individual Oracle Identity Management Components

Table 4-2 describes the various tasks, tools, and references necessary for managing individual components of Oracle Identity Management.

Table 4-2 Managing Oracle Identity Management Components

Task Tools Additional References

Starting and stopping directory services

  • Application Server Control

  • oidctl command-line tools

Oracle Internet Directory Administrator's Guide


Configuring directory services

Oracle Directory Manager


Oracle Internet Directory Administrator's Guide


Starting and stopping Oracle Directory Integration and Provisioning services

  • Application Server Control

  • oidctl command-line tools

Oracle Identity Management Integration Guide


Configuring Oracle Directory Integration and Provisioning

  • Oracle Directory Manager

  • Oracle Directory Integration Platform Assistant

Oracle Identity Management Integration Guide


Starting and stopping Oracle Delegated Administration Services

  • Application Server Control

  • opmctl command-line tools


Configuring Oracle Delegated Administration Services

Oracle Delegated Administration Services Configuration tab

Oracle Identity Management Guide to Delegated Administration


Starting and stopping OracleAS Single Sign-On

  • Application Server Control

  • opmctl command-line tools


Registering a partner application with OracleAS Single Sign-On

ossoreg.jar registration tool

Oracle Application Server Single Sign-On Administrator's Guide



4.1.3 Managing Enterprise Data in the Oracle Identity Management Infrastructure

In addition to monitoring and managing individual components, Table 4-3 describes tasks, tools, and references available to enterprises for managing their data (users, groups, applications, and policies) within the Oracle Identity Management infrastructure.

Table 4-3 Managing Enterprise Data

Task Tools Additional References

User management (adding, deleting, and modifying users)

  • Oracle Delegated Administration Services

  • LDAP command-line tools

  • Oracle Directory Manager

Oracle Internet Directory Administrator's Guide


Group management (adding, deleting, and modifying groups)

  • Oracle Delegated Administration Services

  • LDAP command-line tools

  • Oracle Directory Manager

Oracle Internet Directory Administrator's Guide


Application deployment security management

  • Oracle Delegated Administration Services

  • LDAP command-line tools

  • Oracle Directory Manager


Delegation of privileges

  • Oracle Delegated Administration Services

  • LDAP command-line tools

  • Oracle Directory Manager

Oracle Internet Directory Administrator's Guide


OracleAS Single Sign-On partner and external applications administration

OracleAS Single Sign-On Administration Application

Oracle Application Server Single Sign-On Administrator's Guide



4.2 Delegating Oracle Identity Management Administration

The delegation model supported by Oracle Identity Management is customizable to align with the security requirements of the enterprise. The deployment uses the Oracle Identity Management infrastructure to manage enterprise identities, manage enterprise groups and roles, and manage applications that rely on enterprise identities and groups.

This section contains the following topics:

4.2.1 Delegating User Management

As shown in Figure 4-1, the final targets for delegation of user management privileges are either Oracle components that use the identity management infrastructure or end users. A privilege can be delegated to either an identity, such as a user or an application, or to a role or group.

In a typical deployment, the Oracle Internet Directory super user creates an identity management realm and identifies a special user in that realm to be the identity management realm administrator. The super user delegates all privileges to the new identity management realm administrator who, in turn, delegates certain privileges required by Oracle components to the Oracle defined roles, such as Oracle Application Server administrators. The Oracle components are granted these roles when they are deployed.

In addition to delegating the necessary privileges to Oracle defined roles, the realm administrator can also define deployment-specific roles, such as help desk administrator, and delegate specific privileges to them. The respective administrators, in turn, grant these roles to the users.

Because most of the user management tasks are self-service oriented, such as changing phone numbers, language preferences, and application specific preferences stored in Oracle Internet Directory, these privileges can be delegated to the users by both the realm administrator and the Oracle application components.

4.2.2 Delegating Group Management

As with delegating user management, the final targets for delegation of group management privileges are either Oracle components that use the identity management infrastructure, or users, as shown in Figure 4-1.

The Oracle Internet Directory super user delegates all group-related privileges within the realm to the identity management realm administrator who, in turn, delegates certain group management privileges required by Oracle components to the Oracle defined roles. The Oracle components are granted these roles when they are deployed.

In addition to delegating the necessary privileges to Oracle defined roles, the realm administrator can also define deployment-specific roles, such as help desk administrator, and delegate specific privileges to them. The respective administrators, in turn, grant these roles to users.

Once a group is created, one or more owners of the group can be identified and all subsequent management of the group can be delegated to the owners, who are typically users. These owners can use the self-service console to manage the groups based on the privileges granted to them.

Figure 4-1 Delegating User and Group Management Privileges

Explained in text

4.2.3 Delegating Component Deployment and Administration

The set of privileges required for Oracle component deployment and administration can be separated into two categories: deployment-time privileges and run-time privileges.

Deployment-time privileges refer to those privileges that are required to create the appropriate entries inside the directory, and for storing the meta-information in a common repository. By having a centralized repository, the component can be run from multiple nodes without any further administrative steps.

Run-time privileges refer to those privileges that are required to facilitate the run-time interactions of Oracle components within the identity management infrastructure. These include the privileges to view user attributes, add new users, and modify the group membership. For all Oracle components, the component-specific administration tool requires a certain set of privileges to access, or make appropriate entries into, Oracle Internet Directory.

Figure 4-2 illustrates the delegation of deployment-time and run-time privileges in the Oracle Identity Management infrastructure.

Figure 4-2 Delegating Deployment-time and Run-time Privileges

Explained in text

In Figure 4-2, note that the super user grants certain deployment privileges to groups, which, during the deployment process, are granted to certain users for installing specific Oracle components by making them members of those groups. As part of the installation process, the component installer then grants specific run-time privileges to the component.


Note:

Even though most Oracle components ship with a preconfigured set of privileges, it is always possible to change the privileges to satisfy specific business requirements.

4.2.4 Oracle Internet Directory Delegated Administration Services

Oracle Delegated Administration Services allows the enterprise to assign administrative responsibilities according to the business requirements. It provides different levels of security policies for different components of the enterprise, such that specific administrators, or sets of administrators, can independently manage access to their resources, and yet not create different silos of security information.

The Oracle Internet Directory-based multi tier delegation architecture supports millions of users in multiple realms, management domains, applications, business units, and geographies. In combination with the centralized repository, Oracle Identity Management enables decentralized administration, and lowers the total cost of ownership.

One of the challenges faced by application designers is being able to invoke the user management and resource management with consistent security and use semantics across applications. For example, if multiple applications need to manage groups, they should not be required to understand the various steps required to implement group management and the directory access control list (ACL) semantics.

The user interfaces for Oracle Identity Management system privileges can be divided into various delegated administration service units (DAS service units), which can then be combined by the application console. For example, if the application console needs to be used to modify a user attribute, it would integrate the link for the appropriate DAS service unit in its console or portal page, without having to create the user interface.

The various DAS service units can also be used to build self-service applications, which can be used to update attributes, such as language preferences and home address. Thus, the DAS service units-based integration approach provides for consistent security semantics, consistent usage model, and reuse of the components.