Skip Headers
Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2)
B14085-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

2.2 Access Control and Authorization and Oracle Directory Integration and Provisioning

Authorization is the process of ensuring that a user reads or updates only the information for which that user has privileges. When directory operations are attempted within a directory session, the directory server ensures that the user— identified by the authorization identifier associated with the session—has the requisite permissions to perform those operations. If the user does not have the necessary permissions, then the directory server disallows the operation. Through this mechanism, called access control, the directory server protects directory data from unauthorized operations by directory users.

To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration and provisioning server and a connector, place appropriate access policies in the directory.

This section discusses these policies in detail. It contains these topics:

2.2.1 Access Controls for the Oracle Directory Integration and Provisioning Server

The directory integration and provisioning server binds to the directory both as itself and on behalf of the profile.

  • When it binds as itself, it can cache the information in various integration profiles. This enables the directory integration and provisioning server to schedule synchronization actions to be carried out by various connectors.

  • When the directory integration and provisioning server operates on behalf of a profile, it proxies as the profile—that is, it uses the profile credentials to bind to the directory and perform various operations. The directory integration and provisioning server can perform only those operations in the directory that are permitted to the profile.

To establish and manage access rights granted to directory integration and provisioning servers, Oracle Directory Integration and Provisioning creates a group entry, called odisgroup, during installation. The DN of odisgroup is cn=odisgroup,cn=odi,cn=oracle internet directory. When a directory integration and provisioning server is registered, it becomes a member of this group.

You control the access rights granted to directory integration and provisioning servers by placing access control policies in the odisgroup entry. The default policy grants various rights to directory integration and provisioning servers for accessing the profiles. For example, the default policy enables the directory integration and provisioning server to compare user passwords between Oracle Internet Directory and a connected directory it binds as proxy on behalf of a profile. It also enables directory integration and provisioning servers to modify status information in the profile—such as the last successful execution time and the synchronization status.

2.2.2 Access Controls for Profiles

To control access to Oracle Internet Directory data by integration profiles, place appropriate access control policies in Oracle Internet Directory. This enables you to protect data synchronized or processed by one profile from interference by another profile. It also enables you to allow only the integration profile that owns synchronization of an attribute to modify that attribute.


See Also:

The chapter on access control, specifically, the section security groups, in Oracle Internet Directory Administrator's Guide for instructions on setting access control policies for group entries.

For example, creating a group entry called odipgroup when installing the Oracle Internet Directory enables you to control the access rights granted to various profiles. Rights are controlled by placing appropriate access policies in the odipgroup entry. Each profile is a member of this group. The membership is established when the profile is registered in the system. The default access policy, automatically installed with the product, grants to profiles certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named orclodipConDirLastAppliedChgTime. The default access policy also permits profiles to access Oracle Internet Directory change logs, to which access is otherwise restricted.

The odisgroup group entries and their default policies are created during the server installation of the Oracle Internet Directory. Oracle Directory Integration and Provisioning-only installations do not create these groups and policies.