Delegating Privileges for Oracle Identity Management 31-9 How Deployment Privileges Are Granted To enable administrators to deploy Oracle components, the superuser:

1. Grants certain deployment privileges to various groups—for example, the Oracle

Fusion Middleware Administrators Group

2. Adds the administrators to those privileged groups

The delegated administrators, in turn, can delegate privileges to other administrators. Oracle Application Server Administrators Table 31–11 describes the characteristics of the Oracle Application Server Administrators Group. Note: Oracle Internet Directory superusers have all the privileges of Oracle Fusion Middleware Administrators and Trusted Application administrators, and must be members of the Oracle Fusion Middleware Administrators Group. They can: ■ Assign the Oracle Fusion Middleware Administrator role to a user ■ Assign the Trusted Application role to a user ■ Assign the User Management Application Administrator role to a user Table 31–11 Characteristics of the Oracle Application Server Administrators Group Characteristic Description Tasks Perform repository database installation that creates a repository database registration entry in the directory Perform mid-tier installation. To associate a mid-tier with a repository, the user must have the appropriate privileges with a specific repository database. Install and configure Oracle Fusion Middleware components that create application entities in Oracle Internet Directory Grant to component entities the run-time privileges listed later in this section Configure provisioning profiles for components so that the components can receive update notifications Privileges this group can delegate to components Read Common User Attributes—except passwords, certificates, and similar security credentials Read common group attributes Create, edit, and delete groups Authenticate a user Read application verifiers Administrators Oracle Internet Directory superuser Oracle Context Administrator Owners of this group DN cn=IASAdmins,cn=groups,Oracle_Context_DN 31-10 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory User Management Application Administrators User Management Application Administrators must be members of the Oracle Fusion Middleware Administrators Group. Table 31–12 describes the characteristics of the User Management Application Administrators Group. Trusted Application Administrators Trusted Application administrators must be members of the Oracle Fusion Middleware Administrators Group. Table 31–13 describes the characteristics of the Trusted Application Administrators Group. Delegating Privileges for Component Run Time Many Oracle components administer user entries in Oracle Internet Directory and need the corresponding privileges. For example: ■ When the Oracle Single Sign-On server authenticates a user, that server: – Connects to Oracle Internet Directory using its own identity Table 31–12 Characteristics of the User Management Application Administrators Group Characteristic Description Tasks User Management Application administrators install specific applications that have interfaces to perform user management operations—for example, Oracle Portal and Oracle Application Server Wireless. Privileges this group can delegate to components Create, edit, and delete user attributes Administrators Oracle Internet Directory superuser Oracle Context Administrator Owners of this group DN cn=IAS User Mgmt Admins,cn=groups, Oracle_Context_DN Table 31–13 Characteristics of the Trusted Application Administrators Group Characteristic Description Tasks Install specific identity management components—for example, Oracle Single Sign-On, Oracle Delegated Administration Services, and Oracle Application Server Certificate Authority Privileges this group can delegate to components Read, compare, or reset the user password Proxy as the end-user Read, compare, or modify the users certificate and SMIME certificate Administrators Oracle Internet Directory superuser Oracle Context Administrator Owners of this group DN cn=Trusted Application Admins,cn=groups, Oracle_Context_DN Delegating Privileges for Oracle Identity Management 31-11 – Verifies that the password entered by the user matches that users password stored in the directory To do this, the Oracle Single Sign-On server needs permission to compare user passwords. To set up the Oracle Single Sign-On cookie, it needs permission to read user attributes. ■ To grant access to a user, Oracle Portal must retrieve that users attributes. To do this, it logs in to Oracle Internet Directory as a proxy user, impersonating the user seeking access. It therefore needs the privileges of a proxy user. In general, Oracle components can require these privileges: ■ Read and modify user passwords ■ Compare user passwords ■ Proxy on behalf of users accessing applications ■ Administer the Oracle Context where all Oracle components store their metadata Most Oracle components ship with a preconfigured set of privileges. You can change these default privileges to satisfy specific business requirements—for example, by removing privileges to create and delete user entries. This section describes the security privileges required by Oracle components. It contains these topics: ■ Default Privileges for Reading and Modifying User Passwords ■ Default Privileges for Comparing User Passwords ■ Default Privileges for Comparing Password Verifiers ■ Default Privileges for Proxying on Behalf of End Users ■ Default Privileges for Managing the Oracle Context ■ Default Privileges for Reading Common User Attributes ■ Default Privileges for Reading Common Group Attributes ■ Default Privileges for Reading the Service Registry ■ Default Privileges for Administering the Service Registry Default Privileges for Reading and Modifying User Passwords Reading and modifying user passwords requires administrative privileges on the security-related attributes in the directory—for example, the userPassword attribute. It requires membership in the User Security Administrators Group described in Table 31–14 . See Also: Oracle Application Server Security Guide in the 10g 10.1.4.0.1 library for further information about the component delegation model. 31-12 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Default Privileges for Comparing User Passwords Comparing user passwords requires permission to compare a users userPassword attribute. This operation is performed by components such as Oracle Unified Messaging that authenticate end users by using their passwords stored in Oracle Internet Directory. Comparing user passwords requires membership in the Authentication Services Group described in Table 31–15 . Default Privileges for Comparing Password Verifiers To compare password verifiers, a user must have permission to compare the userpassword attribute. Comparing password verifiers requires membership in the Verifier Services Group described in Table 31–16 . Table 31–14 Characteristics of the User Security Administrators Group Characteristic Description Default ACP The default ACL policy at the Root DSE Entry allows members of the User Security Administrators Group to read, write, compare, and search on userpkcs12, orclpkcs12hint, userpassword, orclpassword, and orclpasswordverifier attributes at the Root Oracle Context. However, directory administrators can grant similar administrative privileges to the User Security Administrators Group in the realm Oracle Context. Administrators The Oracle Internet Directory superuser Members of the Oracle Context Administrators Group Members of the Trusted Application Administrators Group DN cn=oracleUserSecurityAdmins,cn=groups, Oracle_Context_DN Table 31–15 Characteristics of the Authentication Services Group Characteristic Description Default ACP The ACL policy at the Users container in the default identity management realm allows the Authentication Services Group to perform compare operation on the userPassword attribute of users. Administrators The Oracle Internet Directory superuser Members of the Oracle Context Administrators Group Members of the Application Server Administrators Group Owners of this group DN cn=authenticationServices,cn=groups,Oracle_Context_DN Table 31–16 Characteristics of the Verifier Services Group Characteristic Description Administrators The Oracle Internet Directory superuser Members of the Oracle Context Administrators group Members of the Application Server Administrators group Owners of this group DN cn=verifierServices,cn=groups,Oracle_Context_DN Delegating Privileges for Oracle Identity Management 31-13 Default Privileges for Proxying on Behalf of End Users A proxy user has the privilege to impersonate an end user, performing on that users behalf those operations for which that user has privileges. In an Oracle Fusion Middleware environment, the Oracle Delegated Administration Services proxies on behalf of the end user, and, through the Oracle Internet Directory Self-Service Console, performs operations on that users behalf. In such a case, the access controls on the directory server eventually govern the operations that the user can perform. Proxying on behalf of end users requires membership in the User Proxy Privilege Group described in Table 31–17 . Default Privileges for Managing the Oracle Context To manage a specific Oracle Context, a user must have complete access to it. Managing an Oracle Context requires membership in the Oracle Context Administrators Group described in Table 31–18 . An Oracle Context Administrators Group exists for each Oracle Context and has administrative permission in the specific Oracle Context. Default Privileges for Reading Common User Attributes Common user attributes are: mail, orclguid, displayname, preferredlanguage, orcltime, gender, dateofbirth, telephonenumber, wirelessaccountnumber. To read these attributes requires membership in the Common User Attributes Group described in Table 31–19 . Table 31–17 Characteristics of the User Proxy Privilege Group Characteristic Description Default ACP The ACL at the Users container in the default identity management realm allows User Proxy Privilege Group to proxy on behalf of the end user. Administrators The Oracle Internet Directory superuser Members of the Oracle Context Administrators Group Owners of the groups. The DNs of these owners are listed as values of the owner attribute in the group or members of the Oracle Fusion Middleware Administrators Group. Members of the Trusted Application Administrators Group DN cn=userProxyPrivilege,cn=groups,OracleContextDN Table 31–18 Characteristics of the Oracle Context Administrators Group Characteristic Description Default ACP The ACL policy at the root node of the Oracle Context allows members of Oracle Context Administrators Group to perform all administrative operations within the Oracle Context. Such a policy is set up when a new Oracle Context is created in the directory. Administrators The Oracle Internet Directory superuser Members of the Oracle Context Administrators Group DN cn=oracleContextAdmins,cn=groups,Oracle_Context_DN 31-14 Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory Default Privileges for Reading Common Group Attributes Common group attributes are: cn, uniquemember, displayname, and description. To read these attributes requires membership in the Common Group Attributes Group described in Table 31–20 on page 31-14. Default Privileges for Reading the Service Registry To view the contents of the Service Registry requires membership in the Service Registry Viewers Group described in Table 31–21 on page 31-14. Default Privileges for Administering the Service Registry To administer the Service Registry requires membership in the Service Registry Administrators Group described in Table 31–22 on page 31-14. Table 31–19 Characteristics of the Common User Attributes Group Characteristic Description Default ACP The default ACL is on the User container in the realm and grants permission to read common user attributes. Administrators The Oracle Internet Directory superuser Members of the Application Server Administrators Group Owners of this group DN cn=commonuserattributes,cn=users,Oracle_Context_DN Table 31–20 Characteristics of the Common Group Attributes Group Characteristic Description Default ACP The default ACL is on the Group container in the realm and grants permission to read these attributes: cn, uniquemember, displayname, and description. Administrators The Oracle Internet Directory superuser Members of the Application Server Administrators Group Owners of this group DN cn=commongroupattributes,cn=groups,Oracle_Context_DN Table 31–21 Characteristics of the Service Registry Viewers Group Characteristic Description Default ACP The default ACL is on the Services container in the root Oracle Context. Administrators The Oracle Internet Directory superuser Members of the Application Server Administrators Group Owners of this group DN cn=service registry viewers,cn=services,cn=rootoraclecontext, Table 31–22 Characteristics of the Common Group Attributes Group Characteristic Description Default ACP The default ACL is on the Services container in the root Oracle Context.