32-10 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Part IV Part IV Advanced Administration: Managing Directory Deployment This part discusses important deployment considerations. It includes these chapters: ■ Chapter 33, Planning, Deploying and Managing Realms ■ Chapter 34, Tuning and Sizing Oracle Internet Directory ■ Chapter 35, Managing Garbage Collection ■ Chapter 36, Migrating Data from Other Data Repositories ■ Chapter 37, Configuring Server Chaining 33 Planning, Deploying and Managing Realms 33-1 33 Planning, Deploying and Managing Realms This chapter discusses identity management realms and how to plan and configure them for both enterprise and hosted deployments. This chapter contains these topics: ■ Introduction to Planning, Deploying and Managing Realms ■ Customizing the Default Identity Management Realm ■ Creating Additional Identity Management Realms for Hosted Deployments Introduction to Planning, Deploying and Managing Realms This introduction includes the following topics: ■ Planning the Identity Management Realm ■ Identity Management Realms in an Enterprise Deployment ■ Identity Management Realms in a Hosted Deployment ■ Identity Management Realm Implementation in Oracle Internet Directory ■ Default Directory Information Tree and the Identity Management Realm Planning the Identity Management Realm Chapter 5, Understanding Oracle Internet Directory Organization describes guidelines for you to structure the overall DIT and the placement of users and groups for your deployment. Because implementing these guidelines can lead to an infinite number of deployment configurations, you must capture the intent of your deployment in metadata in the directory itself. This metadata enables Oracle software and other third-party software relying on the Oracle Identity Management infrastructure to understand the deployment intent and successfully function in customized environments. In Oracle Internet Directory, this deployment intent is captured in the identity management realm. The realm also helps set identity management policies for users and groups whose placement is described in the previous section. The identity management realm is a well-scoped area in the directory that consists of: ■ A well-scoped collection of enterprise identities—for example, all employees in the US Note: All references to Oracle Single Sign-On in this chapter refer to Oracle Single Sign-On 10g 10.1.4.3.0 or later. 33-2 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory ■ A collection of identity management policies associated with these identities ■ A collection of groups—that is, aggregations of identities—that makes it easier to set identity management policies When you have decided on the overall DIT structure and the placement of users and groups, you must identify the directory entry to serve as the root of the identity management realm. This entry determines the scope of the identity management policies defined in the realm. By default, the scope is the entire directory subtree under the root of the identity management realm. Under this entry, a special entry called OracleContext is created. It contains the following: ■ The deployment-specific DIT design, including user and group naming and placement, as described in previous sections ■ The identity management policies associated with this realm ■ Additional realm-specific information specific to Oracle applications When planning the identity management realm, consider the following: ■ The security needs of your enterprise must dictate the choice of the root of the identity management realm. Typically, most enterprises need only one realm. However, multiple realms may be required when multiple user populations are managed with different identity management policies. ■ If you already have a third-party directory, or plan to integrate with one in the future, then align the choice of the identity management realm root with the DIT design of the third-party directory. This simplifies the synchronization and subsequent administration of the distributed directories. ■ To configure and administer identity management realms, use the administrative tools provided by Oracle Internet Directory. These include the Oracle Internet Directory Self-Service Console in Oracle Delegated Administration Services 10g 10.1.4.3.0 or later, and command-line tools. ■ After you have used the Oracle Internet Directory tools to configure the identity management realm, plan on updating the directory naming and containment policies to reflect the customizations made by the deployment. This update must happen before installing and using other Oracle components that use the Oracle Identity Management infrastructure. Figure 33–1 shows an example of an identity management realm for an enterprise called MyCompany. See Also: The command reference for oidrealm in Oracle Fusion Middleware Reference for Oracle Identity Management.