Академический Документы
Профессиональный Документы
Культура Документы
INTRODUCTION
The introduction of web technology as a method to facilitate
communication within an organization, has frequently lead to an
explosive growth in the size of the user community being managed.
Furthermore, as identity management moves from a being an
application specific function to a centralized resource, the issue arises
of how to allow the central IT department to maintain ownership of
the information (and the infrastructure), without them being a
bottleneck in the User provisioning process.
More and more the issue of a growing and distributed user community
is solved by the use of a “Self-Service” methodology. That is, rather
than have a centralized DBA maintain the user community, move the
process of user provisioning to the individual organizations to which
the users belong. Thus, removing the burden (and subsequent
bottleneck) from the central IT department.
Granting local administrators global privilege to create and modify
users in the central repository however introduces some serious
security questions, such as:
• How would one limit the list of users an administrator may see
and subsequently edit?
• How would one prevent the creation of users/groups outside
of the local administrator’s sphere of influence? For example,
creating a DBA in another department.
This white paper looks at this issue, and describes how the various
components of the Oracle Application server may be configured to
support scoping of the delegated user administration to a specific area
of responsibility.
To illustrate the process, this paper will use the scenario of a state
Education department where an administration hierarchy naturally
exists. This can be summarized as follows;
1. The administrator of a given school may only view student
details from their own school (or even at a lower level, an
individual class). Likewise they may only define a new student
within scope of their school.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 2
2. The administrator of a school district is responsible for several
schools and hence may view the details from any school, and is
also free to create/edit students in any school within their
district.
Note: In other countries a school district is commonly
referred to as a “School cluster”. For the purposes of
this white paper, the two may be seen as synonymous.
3. The State administrator oversees all the schools in the state and
hence works across several districts. He has the ability to view
and edit any student in the state, regardless of the school and
district to which they belong.
District
Administrator
Sc hool
Adminis trator
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 3
Management authorizations enabling those users & groups to access
certain privileged services in the directory. Furthermore, these
privileges define whether the user/group may use the delegated
administration services of the directory.
Effectively an Identity Management Realm defines a specific enterprise
community, it is isolated from other realms and the information within
it cannot (in general) be directly accessed from outside the realm. Each
Identity Management Realm is uniquely named to distinguish it from
other realms, and has a realm-specific administrator with complete
administrative control over that realm.
Note: All Oracle products, which store information in the
Oracle Internet Directory, require a pre-defined Identity
Management Realm to function. As such, the Oracle Universal
Installer automatically creates a realm during installation of
Oracle Internet Directory. This “default Identity Management
Realm” is where Oracle products expect to find users, groups,
and associated policies if the realm is not explicitly named.
orclODIPProfileName=subguid_appguid
cn=Users cn=groups cn=OracleContext
cn=orcladmin
cn=PUBLIC cn=portal.nn.nn.nn
cn=portal cn=products cn=Groups
cn=portal_admin
... cn=dba
cn=authenticated_users cn=common cn=OracleDAScreateGroup
cn=portlet_publisher cn=OracleDASEditGroup
cn=portlet_administrators cn=OracleDASDeleteGroup
cn=rw_basic_user orclcommonusersearchbase cn=OracleDASCreateUser
cn=rw_power_user orclcommongroupsearchbase cn=OracleDASDeleteUser
... orclcommonusercreatebase ...
orclcommongroupcreatebase
...
cn=portal
cn=IFS
cn=OCA
cn=DAS
cn=wireless
...
Figure II: Default Directory Information Tree (DIT) Structure installed as used by OracleAS Portal 10g
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 4
Note: The default Identity Management Realm name is
determined by the domain name of the server on which the
system is installed. For example, if the domain name of the server
was “oracle”, the default Identity Management Realm name
would be dc=oracle, dc=com. If the domain name cannot be
determined, the default name assigned by the directory is
dc=Default Company, dc=com
As may be seen in Figure II, the location within the DIT of portal
Users differs from that of Groups. The default user accounts
(cn=PUBLIC, cn=PORTAL, cn=PORTAL_ADMIN), and any
subsequently registered users are created in the Identify Management
Realm’s User base (cn=Users, dc=MyCompany, dc=com). These
accounts are effectively global to the realm, rather than tied to a
specific application. The rational being, it is likely that a user would be
access more than a single application within realm.
In comparison Portal groups are created within a specifically named
Portal container under the Realm’s Group base. If another Portal
instance were subsequently associated with this infrastructure, another
named portal container would be created under the Realm’s group base
(e.g. portal.041130.1102).
Note: In OracleAS Portal 10g, the name of the group container
is derived from
(Portal schema name) + (Date and time of association with
OracleAS Infrastructure)
i.e., cn=schema_name.yymmdd.hhmi
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 5
• The default location to create a new user in the DIT
(orclcommonusercreatebase)
• Where to look in the DIT for Group information.
(orclcommongroupsearchbase).
• The default location to create groups in the DIT
(orclcommongroupcreatebase)
These are only default locations and a product may query any point
within the Realm for user/group information. However, the use of the
Create and Search bases allow for quicker retrieval of information as
the List of Values (LOV) used by the Portal (actually part of the DAS
console) begins the LDAP query from the location specified.
Given the requirements of a Departmental Delegation model the way
in which the Portal uses these values will be modified (in part).
Within the directory tree privileged roles are defined as “public groups”
under the OracleContext node of the realm. Groups defined at this
location are utilized by Directory Access Control Items (ACI) as a
privilege definition rather than a aggregation. On the other hand
groups defined under the cn=portal.nn.nn.nn container are seen as
aggregations and may be used within a Portal Access Control List.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 6
Using Multiple Identity Management Realms
The Oracle Internet Directory supports the creation of totally
independent user communities, through the ability to create Multiple
Identity Management Realms within the one directory. Each Realm is
a fully scoped area, which consists of a well-defined and independent
set of user identities, security polices and groups.
8
cn=Users cn=groups cn=OracleContext cn=Users cn=portal.nn.nn.nn cn=OracleContext
cn=orcladmin cn=orcladmin
cn=PUBLIC cn=portal.nn.nn.nn cn=products cn=PUBLIC ...
cn=portal cn=portal
cn=portal_admin cn=portal_admin
... cn=dba cn=common ...
cn=authenticated_users
cn=portlet_publisher
cn=portlet_administrators orclcommonusersearchbase
cn=rw_basic_user orclcommongroupsearchbase
cn=rw_power_user orclcommonusercreatebase
... orclcommongroupcreatebase
...
cn=portal
cn=IFS
cn=OCA
cn=DAS
cn=wireless
...
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 7
Note: The Hosted Model for Portal does use multiple Identity
Management Realms to define multiple hosted communities. In
this case the Portal component is automatically copied to each
realm. That is, each is still independent.
DSE Root
Realm
(dc=au,dc=DeptOfEducation,dc=gov)
Figure IV: Example Segmented User Subtree With Areas of Administration Privilege Highlighted.
A user at the Branch level therefore has the subtree below the branch
as their defined scope of responsibility.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 8
As can be seen from Figure IV the user cn=StateAdmin is defined in
the cn=State1 container. That is, at the same level as the School
Districts themselves, and as such they subsequently have those School
Districts within their administration domain. The School district
Admin is limited to the schools within their district, and so on.
Once the administrative hierarchy is defined, the use of Privileged role
membership and Access Control Polices (ACP) allows for the
definition of differently secured groups of users. (See below for
descript/and use of Access Control Items (ACI) to define appropriate
access polices.)
Note: It is required that the segmented tree structure should be in place
before the definition of the ACIs. If the OID server is not able to
resolve a Distinguished Name referenced when the ACI is applied it
will fail and an error returned.
The fastest method to create a complex administrative hierarchy (as
shown in Figure IV) is through the use of an LDIF file and the LDAP
add or bulk load utilities.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 9
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserV2
mail: adminuserc@test.com
cn: StateAdmin
givenname: Admin
uid: StateAdmin
description: The user Administrator for the entire State for the Dept. of Education
… and so on down the sub tree.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 10
• Administration Group of the Parent is a “Unique Member” of
those departments within it administration scope. (e.g.
cn=SD100 Admin)
• Each specified administrative role should be made a
UniqueMember of the OracleDAS group relating to the desired
Action on the directory.
In order to allow for the definition of a Global Administrator able to
access/manage users across each state subtree it is necessary to have a
Global Privilege group defined.
The Global Administration Group (cn=GlobalStudentAdmin) is
• A “Unique Member” of each Departmental Subtree Root
administration group (e.g. cn=SD100-Admin, cn=SD200-
Admin, cn300-Admin).
• Contains all users who are defined in the default user container
(cn=Users) who have admin responsibility over the subtree
structure of the segmented User container (e.g.StateAdmin).
• The Global Administration group is made a UniqueMember of
the appropriate OracleDAS privilege groups
Figure V presents an example privilege group structure to implement
the Department of Education example used in this white paper.
DSE Root
Realm
(eg. dc=au, dc=DeptOfEducation, dc=gov)
cn=products cn=Groups
cn=common
cn=OracleDAScreateGroup cn=GlobalStudentAdmin
cn=OracleDASEditGroup
orclcommonusersearchbase cn=OracleDASDeleteGroup
orclcommongroupsearchbase cn=OracleDASCreateUser
orclcommonusercreatebase cn=OracleDASDeleteUser cn=State1Admin cn=State(nn)Admin
orclcommongroupcreatebase ...
...
cn=portal
cn=SD100-Admin cn=SD200-Admin cn=SD300-Admin
cn=IFS
cn=OCA
cn=DAS
cn=wireless SD100-1-Admin SD100-2-Admin SD100-3-Admin SD200-1-Admin SD200-2-Admin ...
...
Figure V: Privilege Role Structure for Department Level User Provisioning
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 11
Note: While the departmental administration roles, will be used
to define the scope of user provisioning, it is important that the
users are still members of the Oracle DAS privilege groups
themselves. This is due to the fact that membership in these
groups determines the users ability to access the appropriate
administration functions within the Portal itself. That is, only a
user who is a member of the OracleDASCreateUser,
OracleDASEditUser, or OracleDASDeleteUser privilege groups
will have the User portlet displayed on the OracleAS Portal’s
administration page. Likewise, the hyperlink used to create a new
user is rendered only if the user is a member of the
OracleDASCreateUser group (with “Edit” privilege they would
still see the portlet itself).
Access to the various nodes within the Directory tree is defined by the
implementation of Access control Policies within the Tree itself.
These Policies map the available privileges, such as Browse Delete,
Write to named entities within the directory. These may be Groups,
Users or even Wild cards based on a specific attribute such as DN.
Directory policies are defined by the setting of the orclACI attribute.
This represents the access policies that are to be inherited by the
subtree of beneath the node in which the Policy was defined. When
there is a security hierarchy, as in the School District example, with
multiple ACPs existing at different levels a subordinate container (such
as an individual school or student) will inherit the access policies from
all of the superior ACPs. Unless explicitly over ridden at a lower level.
Put simply, Access policies will be inherited down the branch, but they
are evaluated from the leaf back. That is, if access is denied at the root
node, it can be reversed at a specific point without having to define the
policy at each level in the hierarchy
The Departmental Delegated Administration model uses the ACI in
this manner to prevent school administrators from accessing containers
(e.g. students from other schools) out side of their scope, while still
having full access to their own areas.
The access control directive may be defined against an entire Container
or specified against individual attributes within it.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 12
by * | dn="expression" | group="<dn>" | self |
(identity of the entity or an attribute of it)
dnAttr=(dn_attrib) | guidattr=(guid_attrib) |
groupattr=(group_atttrib)
(Access list)
The values of (Access list) will depend on whether the ACI applies to
access to the container or the attributes within it. (e.g. none | compare
| search | browse | proxy | read ).
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 13
orclaci: access to entry filter=(objectclass=orcluser*)
by group="cn=oracledascreateuser, cn=groups, cn=oraclecontext,
dc=au, dc=DeptOfEducation, dc=gov " (privilege list)
by group="cn=oracledasedituser, cn=groups, cn=oraclecontext,
dc=au, dc=DeptOfEducation, dc=gov " (privilege list)
3. Remove ACI attribute filters from cn=Users which grant " (read,
search, write, selfwrite, compare) privilege to the OracleDAS
privilege groups
e.g.
dn: cn=Users, dc=au,dc=DeptOfEducation,dc=gov
orclaci: access to entry filter=(objectclass=inetorgperson)
by group="cn=GlobalAdmin, cn=StudentAdminPrivs, cn=groups,
cn=OracleContext, dc=au,dc=DeptOfEducation,dc=gov"
(browse, add , delete, proxy)
e.g.
dn: cn=Users, dc=au,dc=DeptOfEducation,dc=gov
orclaci: access to attr=(*) filter=(objectclass=inetorgperson)
by group=" cn=GlobalAdmin, cn=StudentAdminPrivs, cn=groups,
cn=OracleContext, dc=au,dc=DeptOfEducation,dc=gov "
(read,search,write,compare)
e.g.
dn: cn=SD100School1, cn=SchoolDistrict100, cn=State1, cn=Users,
dc=au, dc=DeptOfEducation, dc=gov
orclaci: access to entry filter=(objectclass=inetorgperson)
by group="cn=SD100-1-Admin, cn=SD100-Admin,
cn=StudentAdminPrivs, cn=groups, cn=OracleContext,
dc=au,dc=DeptOfEducation,dc=gov"
(browse, add , delete, proxy)
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 14
7. Add an ACI Attribute filter on the individual school container to
grant attribute Read, Write, Search, Compare privileges to the
appropriate administration group defined.
e.g.
dn: cn=SD100School1, cn=SchoolDistrict100, cn=State1, cn=Users,
dc=au, dc=DeptOfEducation, dc=gov
orclaci: access to attr=(*) filter=(objectclass=inetorgperson)
by group cn=SD100-1-Admin, cn=SD100-Admin,
cn=StudentAdminPrivs, cn=groups, cn=OracleContext,
dc=au,dc=DeptOfEducation,dc=gov " (read,search,write,compare)
8. Repeat Steps 6 & 7 for each individual school container.
9. Repeat Steps 6 & 7 for the each School District container
(using the District level administration Group) until reaching
the level of the Global Admin.
Note: The Oracle Internet Directory 10g supports the definition
of multiple orclaci attributes in a single container (one after
another). However, this can lead to unpredictable results where
the Access Policies defined result in a contradiction.
As such it is recommended to update the current orclaci
attributes on the cn=Users container rather than simply add new
ACI attributes to the container.
USER PROVISIONING
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 15
to which the current user does not have Browse privilege. Resulting in
a “result set” that maps to the District/Schools to which they have
responsibility. Thus, from the application’s perspective the
segmentation of the tree is transparent.
Access to the appropriate list of students is greatly simplified within the
Portal by use of the User provisioning Portlet. When the Portlet’s
LOV icon is clicked, the DAS LOV component uses the
OrclCommonUserSearchBase defined for the realm, as the starting
point for its LDAP search. Hence, without having to modify the LOV
or the portlet, the list of students returned will be scoped to the area of
responsibility of the current administrator.
Figure VI: Segmentation of the User Community is transparent to the LDAP Query
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 16
Note: Oracle Internet Directory supported the definition of
multiple values for the OrclCommonUserCreateBase attribute.
If multiple values are defined, the DAS console presents the user
with a pop-list of full DNs as possible locations in which to
create the user.
Likewise the parent DN may be determined by setting multiple
values for the organizational unit (ou) attribute (as a list). The
administrator may then choose the organization unit under which
to place the new user. For a limited number of locations, and
with Directory aware end-users, these options may suffice, hence
removing the need for further customization.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 17
• Search base: DN of Parent Container
• Search Filter: objectclass=orclcontainer
4. Once the appropriate location is chosen the application need
only define the DN of the new user in the appropriate LDAP
add command. Therefore preventing an attempt to create a user
in an invalid location.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 18
Note: Use of a School or District based Prefix would greatly
reduce the likelihood of namespace collisions in the first place.
An Attribute may de defined as unique:
• Across the entire directory
• Across a given scope (subtree, container/s)
• Across a given object class
• Or a combination of the above.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 19
Eg.
http://ptlsrv1.au.oracle.com:7777/oiddas/ui/oracle/ldap/
das/user/DASCreateUserInfoAdmin?clearcache=true&parentD
N=
“cn=SD100School1,cn=SchoolDistrict100,cn=State1,
cn=Users,dc=au,dc=DeptOfEducation,dc=gov”
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 20
Figure VII shows this modified functionality, where the current user’s
sphere of responsibility is exposed in the Portlet. By selecting the
appropriate location prior to clicking the Create New Users link, the
School district administrator can automatically provision the user at the
appropriate point in the tree. For individual school administrators the
UI appears as per the normal portlet and the Student is explicitly placed
in the appropriate school container.
Note: The location displayed in the User Interface may be based
on the Relative Distinguished Name, however for ease of
understanding (the common name (cn) may not be descriptive)
the containers Description Attribute may be used, as is the case
in Figure VII.
CONCLUSION
The explosive growth in the number of users having to be managed
within an organization’s Identity management Repository, has lead
many administrators to look at Self-Service as the solution to the
Provisioning bottle-neck. The primary concern has always been one of
security. How can the central portal administrator allow individual
departments the ability to provision users (with all the rights that
entails) but at the same time limit the scope to only the departments in
question?
As discussed in this paper, modifications of the default Directory
Information Tree, as well as minor changes in the OracleAS Portal,
make it possible to implement a delegated administration Model in
which user provisioning is moved out to the organizations to which the
users belong, while allowing the information to remain a centralized
resource.
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g Page 21
The Implementation of a Departmental User Provisioning Model in OracleAS Portal 10g
November 2004
Author: Barry Hiern
Contributing Authors: Paul Encarnación, Sunil Marya, Peter Lubbers
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
www.oracle.com