Security Features in Oracle Directory Integration Platform 2-3 To restrict access to only the desired subset of Oracle Internet Directory data, for both the directory integration server and a connector, place appropriate access policies in the directory. This section discusses these policies in detail. It contains these topics: ■ Access Controls for the Oracle Directory Integration Platform ■ Access Controls for Profiles

2.2.1 Access Controls for the Oracle Directory Integration Platform

The Oracle Directory Integration Platform binds to the directory both as itself and on behalf of the profile, as follows: ■ When it binds as itself, it can cache the information in various integration profiles. This enables the directory integration server to schedule synchronization actions to be carried out by various connectors. ■ When the directory integration server operates on behalf of a profile, it acts as proxy for the profile—that is, it uses the profile credentials to bind to the directory and perform various operations. The directory integration server can perform only those operations in the directory that are permitted in the profile. To establish and manage access rights granted to directory integration servers, Oracle Directory Integration Platform creates a group entry, called odisgroup, during installation. When a directory integration server is registered, it becomes a member of this group. The DN of odisgroup is: cn=odisgroup,cn=directory admins,cn=directory integration plataform,cn=products,cn=oraclecontext You control the access rights granted to directory integration servers by placing access control policies in the odisgroup entry. The default policy grants various rights to directory integration servers for accessing the profiles. For example, the default policy enables the directory integration server to compare user passwords between Oracle Internet Directory and a connected directory it binds as a proxy on behalf of a profile. It also enables directory integration servers to modify status information in the profile—such as the last successful execution time and the synchronization status.

2.2.2 Access Controls for Profiles

During installation, Oracle Directory Integration Platform creates a group entry called odipgroup that enables you to control the access rights granted to various profiles. For additional security, the odipigroup and odipegroup groups are also created during installation. All import profiles are assigned to the odipigroup group and all export profiles are assigned to the odipegroup group. Rights are controlled by placing appropriate access policies in the odipgroup entry. The default access policy, automatically installed with the product, grants to profiles certain standard access rights for the integration profiles they own. One such right is the ability to modify status information in the integration profile, such as the parameter named orclodipConDirLastAppliedChgTime. The default access policy also permits profiles to access Oracle Internet Directory change logs, to which access is otherwise restricted. See Also: The chapter on access control, specifically, the section about security groups, in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory for instructions about setting access control policies for group entries