oracle identity manager 11gr2-ps2 hands-on workshop …...• each admin role in oracle identity...
TRANSCRIPT
2 Oracle Confidential – Do Not Distribute
• Overview – R2 Enhancements
• OIM Authorization using OES
• Security Model • Admin Roles
• Policies and Obligations
• OOB Policies
• Customizing OOB Authorization Policies
• Organization Scoped Entity Publication
• Functional Security
Agenda - Security
3 Oracle Confidential – Do Not Distribute
• Standard ADF security model for functional security and use OES best practices for data
security.
• Consistent architecture • Supports delegated administration of roles, organizations, entitlements, application instances, and LDAP groups.
• Lets backend make various security decisions, for example, who can request what, who can have what, and who
needs to go through approval. Facilitates the security of catalog-based request module and of converged UI and
backend of self service and delegated-administration.
• Scoping mechanism for delegated administration and data security of various entities. All
entities are scoped by the organization structure
Enhanced Security Architecture Overview
5 Oracle Confidential – Do Not Distribute
Architecture – R2 Security Model
Admin Role Memberships & Publication
6 Oracle Confidential – Do Not Distribute
• The new authorization model works on the basis of the admin role assignment to a user.
• Admin Roles are predefined
• Admin roles cannot be created, updated, deleted or requested.
• Resides in OIM DB. No LDAP Sync.
• Two Types of Admin Roles – Global and Scoped
• Admin Roles: System-Wide/Global – Assigned in scope of Top org only.
• Catalog Administrator Role
• Manage catalog metadata and request profile
• System Administrator Role
• All permissions, no approval required
• System Configurator Role
• All permissions on system configuration, no approval required.
• SPML Administrator Role
• Manage SPML request related.
Security Model - Admin Roles
7 Oracle Confidential – Do Not Distribute
• Admin Roles: Assigned in the scope of Organizations – Any org including Top
• [Entity] Admin Role
• Can manage the entire lifecycle of the entity and perform any operation on the entity.
• [Entity] Authorizer Role
• Can view the entity in the catalog or request profiles and request for it, but does not require approval.
• [Entity] Viewer Role
• Required to view the entity in UI
Security Model - Admin Roles
8 Oracle Confidential – Do Not Distribute
• Admin role membership organization scoping is hierarchy-aware, and can be cascaded
downwards to the child organizations.
• Admin role membership is always given in an organization scope, and can only be assigned by
the System Administrator or Organization Administrator with in the Organization.
• System Configuration Administrator can’t assign admin roles.
• Admin Roles do not have auto-group membership or role membership rule
• Each admin role in Oracle Identity Manager has one-to-one mapping to the application roles in
the OES.
• The application roles have associated policies that govern what permissions are allowed for
users who belong to this role. Changing the functional and data constraints on these policies,
you must open the respective policy in Authorization Policy Management (APM) UI in OES, and
modify the policy
Security Model - Admin Roles
9 Oracle Confidential – Do Not Distribute
• Inherent permissions: The organization to which a user is a member is referred as the Home
organization for that user. A user has implicit view permissions on the entities available to the
Home and Dynamic organizations.
• Management hierarchy: If User A is the manager of User B and User C, then User A has
implicit permissions on User B and User C, even if User B and User C are in different
organizations. User A does not need explicit privileges on the direct reports, irrespective of
which organization the direct reports belong.
• Implicit permissions are assigned based on Home Organization, Dynamic Organization and
Admin Role membership.
• For Example – User Administrator Role has Org Viewer, Role Viewer, Entitlement Viewer,
AppInstance Viewer implicit permissions.
• Basic-info permissions gives the permission only to view-search the given entity.
• Examples : The User Viewer admin role provides the basic info permission on roles,
organizations, application instances, and entitlements in that scoped organization.
Security Model - Admin Roles
10 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles
Global Admin Roles only available in the context of
TOP org
Top Org Non Top Org
Only scoped Admin Roles available
11 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Role Display Name Description
OrclOIMSystemAdministrator ** System Administrator OIM System Administrator Role with All Privileges
OrclOIMSystemConfigurator ** System Configuration Administrator Role with privileges to configure OIM application
OrclOIMCatalogAdmin ** Catalog System Administrator Role can administer all the catalog items
OrclOIMRoleAdministrator Role Administrator Role can manage all assigned enterprise roles
OrclOIMRoleAuthorizer Role Authorizer Role can authorize assigned enterprise roles
OrclOIMRoleViewer Role Viewer Role can view assigned enterprise roles.
OrclOIMEntitlementAdministrator Entitlement Administrator Entitlement administrator
OrclOIMEntitlementAuthorizer Entitlement Authorizer Entitlement authorizer
OrclOIMEntitlementViewer Entitlement Viewer Role can view assigned entitlements.
OrclOIMApplicationInstanceAdministratorRole Application Instance Administrator Role can manage assigned application instances.
OrclOIMApplicationInstanceAuthorizerRole Application Instance Authorizer Role with authorizations on assigned application instances.
OrclOIMApplicationInstanceViewerRole Application Instance Viewer Role can view assigned application instances.
OrclOIMOrgAdministrator Organization Administrator Role can manage assigned organizations.
OrclOIMOrgViewer Organization Viewer Role can view assigned organizations.
OrclOIMUserAdmin User Administrator Role can manage assigned set of users.
OrclOIMUserHelpDesk HelpDesk HelpDesk to manage users
OrclOIMUserViewer User Viewer Role can view assigned user records.
OrclOIMSPMLAdmin ** SPML Admin SPML Admin to manage SPML.
OrclOIMCertificationAdministrator ** Certification Administrator Role can manage certification process
** denotes the Global Admin roles
12 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for User Entity
Role Function Security Scoping Rules
User Admin Create User
Delete User
Get user in search results
View User (requires attribute-level security)
Modify User attributes (includes updating the organization attribute of a user in Standard Edition). Requires attribute-level security
Enable User
Disable User
Unlock User
Change User Password
Change Password in Application Instance
Grant/ Revoke Roles
Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances
Grant/ Revoke Entitlements
1) I can perform the functions (given in Function Security)
on users that are in the orgs that I am allowed to
manage.
2) I can only perform the functions on user attributes for
which I have access
Helpdesk Admin Get user in search results
View User (requires attribute-level security)
Enable User
Disable User
Unlock User
Change User Password
Change Password in Application Instance
User Viewer Create User through Request
Delete User through Request
Get user in search results
View User (requires attribute-level security)
Modify User attributes (includes updating the organization attribute of a user) through Request. Requires attribute-level security
Enable User through Request
Disable User through Request
Grant/ Revoke Roles through Request
Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances through Request
Grant/ Revoke Entitlements through Request
Any and All Users (Any OIM users,
All Users is not a role)
Self Modify user profile
Self Change Passwords/ Challenge Questions
Raise Request for self
For self only
13 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for Role Entity
Role Admin Create Role
View Role
Update Role attributes
Delete Role
View Role Members
Create Role Category
Update Role Category
Delete Role Category
Manage Role Hierarchy
Publish role to a set of organizations (in this context, data security applies)
1) I can publish the role to the orgs
that I am allowed to manage
2) I can manage the Roles that are
published to my org
3) I can manage the Roles that are
published to org(s) that I can
manage
Role Viewer View Role in search results
View role attributes
Request Role grant/ revoke for users
I can perform functions on Roles that
have been published to orgs that I am
allowed to manage
Role Authorizer View Role in search results
View role attributes
View Role Members
Request Role grant/ revoke for users
No approval needed
I can perform functions on Roles that
have been published to orgs that I am
allowed to manage
14 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for Organization Entity Organization
Admin
Create Organization
View and Manage (Update) Organization attributes
Delete Organization
All Role Admin Privileges for Admin Roles.
Update Organization Hierarchy (for a specific organization)
Update organization attributes (of a specific organization)
I can perform functions on
organizations that I am
allowed to manage
Organization
Viewer
Get organization in search results
View organization and organization attributes
I can perform functions on
organizations that I am
allowed to manage
15 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for Entitlement Entity
Entitlement Admin Publish Entitlements available to a set of organizations (in this context, data security applies)
View Entitlement Members
1) I can publish the Entitlements to the
orgs that I am allowed to manage
2) I can manage the entitlements that are
published to org(s) that I can manage
Entitlement Authorizer View Entitlement in search results
View Entitlement attributes
View Entitlement Members
Request Entitlement grant/ revoke for users
No approval needed
I can perform functions on entitlements that
have been published to org(s) that I am
allowed to manage
Entitlement Viewer View Entitlement in search results
View Entitlement attributes
Request Entitlement grant/ revoke for users
I can perform functions on entitlements that
have been published to org(s) that I am
allowed to manage
16 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for Application Instance
Application Instance
Authorizer
View Application Instance in search results
View Application Instance attributes (excluding passwords)
Request to provision of account in Application instance
Request to de-provision of account in Application instance
Request to modify of account in Application instance
Request for enable of account in Application instance
Request for disable of account in Application instance
View accounts
No approval needed
I can perform functions on Application
Instances that have been published to orgs
that I am allowed manage
Application Instance
Viewer
View Application Instance in search results
View Application Instance attributes (excluding passwords)
Request to provision of account in Application instance
Request to de-provision of account in Application instance
Request to modify of account in Application instance
Request for enable of account in Application instance
Request for disable of account in Application instance
I can perform functions on Application
Instances that have been published to orgs
that I am allowed manage
Application Instance
Admin
Create Application instance
Create Resource Object
Modify Application instance
Modify Resource Object
Delete Application instance
Delete Resource Object
View accounts
Publish Application Instance available to a set of organizations (in this context, data security applies)
1) I can publish the Application Instance
to the orgs that I am allowed to
manage
2) I can manage the Application Instance
that are published to org(s) that I can
manage
17 Oracle Confidential – Do Not Distribute
Security Model - Admin Roles Admin Roles for Certification and Catalog entities
Certification
Administrator *
View Certification Configuration
Update Certification Configuration
Update Certification
View/manage scheduled Jobs
Create/View/Modify/Delete/Run Jobs
View Certification
View User Admin Role
View User Entitlements
View Requests
View User Accounts
View User Roles
Start /Stop Scheduler
Create/modify/delete Trigger
Add /modify/delete Task
Certification Viewer* View Certification The only permission explicitly granted to the
Certification Viewer admin role is View
Certification. Permissions to view other entities
are dynamically granted and scoped to those
entities referenced in a certification.
Catalog Admin Edit Catalog metadata
Create Request Profiles
Modify Request Profiles
Delete Request Profiles
*Introduced in 11gR2PS1
18 Oracle Confidential – Do Not Distribute
Admin Role Memberships
• Admin role membership defines the relationship between a user and an admin role in the context of an org.
• Admin role memberships are hierarchy aware, that means that a user having a admin role at parent org can also act with the same admin role in the child org too if hierarchy flag is set to true.
• Can be viewed from the context of an org OR from the context of a user.
19 Oracle Confidential – Do Not Distribute
Admin Role Membership Entity Lifecycle
Active Deleted
Non-Existent
Create
Delete
Modify
20 Oracle Confidential – Do Not Distribute
Creating Admin Roles Memberships
Click Assign
1. Search User
2. Select & click “Add Selected”
3. Click Add
Role Admin assigned to User FOO
21 Oracle Confidential – Do Not Distribute
View Admin Roles Memberships
From Org context
From User context
22 Oracle Confidential – Do Not Distribute
Entity Publication
• Publication is the way of making an entity available to an org.
• Role, App Instance, and Entitlement can be published by respective administrators from the entity details screen.
• Publication is hierarchy aware, so an entity can be made visible to child orgs too, though its actually published to parent org.
• Auto Publish :When an entity administrator creates an entity, then that entity is automatically made available to all the organizations for which the administrator has entity admin role. For example, when a user with Role Administrator privilege creates an enterprise role, the newly created role is automatically made available to all the organizations on which the user is the Role Administrator.
• Publishes dependent data too: The publishing service also supports publishing of dependent data (like entitlements for app-instance), when the parent entity is published.
23 Oracle Confidential – Do Not Distribute
Entity Publication – Organization scoping
• Organization in OIM will ONLY be used for security purposes. It is NOT an enterprise organization, not an LDAP organization unit or organization.
• Data security using organization scoping uses following principal:
• Data is secured by confining its availability only in a set of organizations. (Publishing)
• User is assigned permissions over an organization by assigning admin role in that organization scope (Delegation/Delegated admins)
• If the organization where user has set of permissions and the organization where entity is published match, then user is allowed to perform operations as per the user’s admin roles.
• Both publishing and admin role memberships are organization hierarchy aware.
User’s admin-role memberships in
organizations
Entities available in organizations
24 Oracle Confidential – Do Not Distribute
Publication Entity Lifecycle
Active Deleted
Non-Existent
Create
Delete
Modify
Please Note : The life-cycle of publication entity is separate from the actual entity (like role etc) life cycle itself. However when the entity is deleted, the actual publication also gets deleted.
25 Oracle Confidential – Do Not Distribute
Create a Role
Since the role was created by System Admin it got auto
published to Top Org
To manually publish . Click Assign
1. Search Org
2. Select & click “Add Selected”
3. Click Ok Role published to org
Add Entity Publications
26 Oracle Confidential – Do Not Distribute
View Entity Publications
From Org context
From Entity context
27 Oracle Confidential – Do Not Distribute
• Policy -> Principle + Target + Allowed Actions + Conditions +
Obligations
• Principle -> Admin Role/User for which policy is evaluated
• Target – Entity (user, role, appinstance, entitlement, taskflow etc)
• Actions - Allowed Actions on the target (View, Create, Update, render
etc).
• Conditions –> Logic based on which policy is evaluated
• Obligations –> Define/Restrict scope in action
• Requestable or Direct
• Attribute allowed or Denied
Authorization Policy Concepts
28 Oracle Confidential – Do Not Distribute
• The attribute level security is only implemented for user attributes.
• All the authorization policies are configured to show all the attributes of
a user by default.
• To restrict the list of attributes to be viewed by the User Viewer role or
restrict the list of attributes to be viewed and edited by User Admin
Roles, it is proposed to include the list of attributes to be restricted in the
deny attribute list of the respective policy in OES APM UI
• Use authorization plug-in to pass additional contextual information for
policy evaluation
Enhanced Security Architecture Attribute Security
29 Oracle Confidential – Do Not Distribute
Authorization Policies for User management
Management Hierarchy
30 Oracle Confidential – Do Not Distribute
Authorization Policies for User management
Home Org (peer permissioning)`
31 Oracle Confidential – Do Not Distribute
Authorization Policies for User management
Authenticated Self Service
32 Oracle Confidential – Do Not Distribute
• Policies for Management hierarchy
• Policies for peer permissioning (Home Org)
• Policies for authenticated self-service
• Policies for admin-roles(User Admin, User Viewer, SPML-Admin & HelpDesk)
• Policies for basic-info related permission and for the request-context.
• Deny policy for System Configuration role.
Authorization Policies for User management
33 Oracle Confidential – Do Not Distribute
• Policies for peer permissionning (Home Org)
• Policies on the basis of the assignment
• Policies for admin-roles(Role Admin, Role Viewer, SPML-Admin, Catalog-Admin & Role Authorizer)
• Policies for basic-info related permission and for the request-context.
• Deny policy for System-Config role, Except for view & search.
Authorization Policies for Role management
34 Oracle Confidential – Do Not Distribute
• Policies for peer permissionning (Home Org)
• Policies for admin-roles(Org Admin, Org Viewer)
• Policies for basic-info related permission.
• Deny policy for System-Config role, Except for view & search.
Authorization Policies for Organization management
35 Oracle Confidential – Do Not Distribute
• Policies for peer permissionning (Home Org)
• Policies on the basis of the assignment
• Policies for admin-roles(Entitlement Admin, Entitlement Viewer, Catalog-Admin & Entitlement Authorizer)
• Policies for basic-info related permission and for the request-context.
• Deny policy for System-Config role, Except for view & search.
Authorization Policies for Entitlement management
36 Oracle Confidential – Do Not Distribute
• Policies for peer permissionning (Home Org)
• Policies on the basis of the assignment
• Policies for admin-roles(AppInstance Admin, AppInstance Viewer, Catalog-Admin & AppInstance Authorizer)
• Policies for basic-info related permission and for the request-context.
• Deny policy for System-Config role, Except for view & search.
Authorization Policies for Application Instance management
37 Oracle Confidential – Do Not Distribute
• We have various policies defined for System Configuration and they don't have any data-scoping for Scheduler/Notification & so on.
• Note: There are no authorization policies defied for the System administrator role, All the actions are allowed for user having the system admin role.
Authorization Policies defined for the System Configuration
38 Oracle Confidential – Do Not Distribute
• User Management
• Role Management
• Organization Management
• Application Instance
• Entitlement
• Entity Configuration
• Reconciliation Management
• Scheduler
• Approval Policy Management
• Notification Management
• System Properties
• Diagnostic Dashboard
• Plug In Framework
• Authenticated User Self Service
Authorization Policy Enforcement Points
39 Oracle Confidential – Do Not Distribute
• Create/Update/Delete Access Policies
• Add/Modify/Remove Lookup
• Import/Export using Deployment Manager
• Attestation Administration
Permissions not governed by OES Policies
40 Oracle Confidential – Do Not Distribute
• Security Policies for Function & Data
• Who can request what from catalog?
• Who can request for which beneficiaries?
• Who is authorized to have what?
• “Actor” checks in UI and “Beneficiary” checks in the back-end
• Approval Workflows: Separate from security policies
• Which requests need manual approval and which are auto
approved?
• Who all need to approve the request?
Catalog Security
41 Oracle Confidential – Do Not Distribute
• Customer wants to implement two User Administration levels.
• First one is the default User Administration admin role defined in OIM.
• The second one does not allow User Administration:
• to create and remove users
• to view, add, delete and modify admin roles
• to disable and change password from user accounts
• to add and delete user roles
if he/she is part of ADMINISTRADOR_DELEGADO OIM Role.
Authorization Plug-In - Usecase
42 Oracle Confidential – Do Not Distribute
1. Create an OIM Role called “ADMINISTRADOR_DELEGADO”.
2. Create an Attribute in APM to manage the validation response from authorization plug-
in.
3. Create an Attribute Resolver plug-in to check the logged user’s OIM role membership.
4. Create an Authorization Policy in APM to deny some privileges from OIM User Admin
principal. The Authority Policy’s condition makes reference to the Attribute created on
step 2 and compares it with a string constant.
Authorization Plug-In - Solution
43 Oracle Confidential – Do Not Distribute
Create an Attribute in APM
• Go to Applications -> OIM -
> Extensions -> Attributes
(double click)
• Press “New” icon
• Fill the data.
Authorization Plug-In - Solution
44 Oracle Confidential – Do Not Distribute
Create an Authorization
Policy in APM
• Go to Applications -> OIM -
> OIMDomain ->
Authorization Policies
(double click)
•
• Press “New” icon
• Fill the data.
Authorization Plug-In - Solution
45 Oracle Confidential – Do Not Distribute
Create an Attribute Resolver Plug in
• Use oracle.iam.platform.authopss.plugin.AttributeResolver plug-in point to pass the
attributes to OES for policy evaluation.
• To add a new attribute to be used in policies (condition), add the attributes in a Map by using
the following methods.
public class ResolveResourceUserTypeAttribute implements AttributeResolver{
public Map<String, Object> resolveResourceAttributes(String subjectId, PolicyConstants.Resources
resourceType, String resourceId)
{
//To resolve the attributes of the target entity on which the logged-in user is working:
}
public Map<String, Object> resolveSubjectAttributes(String subjectId, PolicyConstants.Resources resourceType)
{
//To resolve the attributes related to logged-in user:
}
}
Authorization Plug-In - Solution
46 Oracle Confidential – Do Not Distribute
Create an Attribute Resolver Plug in
• Use oracle.iam.platform.authopss.plugin.AttributeResolver plug-in point to pass the
attributes to OES for policy evaluation.
• To add a new attribute to be used in policies (condition), add the attributes in a Map by using
the following methods.
public class ResolveResourceUserTypeAttribute implements AttributeResolver{
public Map<String, Object> resolveResourceAttributes(String subjectId, PolicyConstants.Resources
resourceType, String resourceId)
{
//To resolve the attributes of the target entity on which the logged-in user is working:
}
public Map<String, Object> resolveSubjectAttributes(String subjectId, PolicyConstants.Resources resourceType)
{
//To resolve the attributes related to logged-in user:
}
}
Authorization Plug-In - Solution
47 Oracle Confidential – Do Not Distribute
Registre the Plug-in
<?xml version="1.0" encoding="UTF-8"?>
<oimplugins>
<plugins pluginpoint="oracle.iam.platform.authopss.plugin.AttributeResolver">
<plugin pluginclass= "dgp.oim.plugin.security.ResolveResourceUserTypeAttribute"
version="1.2“ name="CNPResolveResourceUserTypeAttribute">
</plugin>
</plugins>
</oimplugins>
Authorization Plug-In - Solution
48 Oracle Confidential – Do Not Distribute
• Function Security
• Who can perform what actions?
• Tool: OES/APM
• Customizable: Customers can change OOB seeded security policies
• Data Security
• Who can perform actions on what data?
• Tool: OIM Admin Role Assignment
• Data Scoping
• Data is secured by publishing it to a set of orgs
• Admin Roles are assigned in the scope of an organization
• Users with “admin roles” in an org can perform allowed functions on data published to that
org
• Both publishing and delegation are organization hierarchy aware
Enhanced Security Architecture
49 Oracle Confidential – Do Not Distribute
• OIM Self Service console will have ADF security enabled. Which means access to all
task-flows and page definitions is governed by ADF Security policies defined in the
JAZN file.
• All OOTB OIM task-flows must be protected by defining them as a resource and
adding them in JAZN file with appropriate permissions to application roles. There are
two special roles, authenticated-user and anonymous-user.
• If logged in user does not have permission to perform an action as per his admin roles,
then the action (menu, button, or link) will be either disabled or not visible to the user in
the UI. This is enforced by using EL scripts in the ADF UI. As an example, to check if
user has permission to create a user, the EL script is as follows:
<af:commandNavigationItem rendered=”#{oimuser.create.allowed}” />
Enhanced Security Architecture Functional Security