Oracle Identity Manager 11gR2-PS2 Hands-on Workshop …download.oracle.com/opndocs/global/OIM-R2-PS2/... · Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive –

Oracle Identity Manager 11gR2-PS2 Hands-on Workshop

Tech Deep Dive – Security

2 Oracle Confidential – Do Not Distribute

• Overview – R2 Enhancements

• OIM Authorization using OES

• Security Model • Admin Roles

• Policies and Obligations

• OOB Policies

• Customizing OOB Authorization Policies

• Organization Scoped Entity Publication

• Functional Security

Agenda - Security


• Standard ADF security model for functional security and use OES best practices for data

security.

• Consistent architecture • Supports delegated administration of roles, organizations, entitlements, application instances, and LDAP groups.

• Lets backend make various security decisions, for example, who can request what, who can have what, and who

needs to go through approval. Facilitates the security of catalog-based request module and of converged UI and

backend of self service and delegated-administration.

• Scoping mechanism for delegated administration and data security of various entities. All

entities are scoped by the organization structure

Enhanced Security Architecture Overview


OIM Authorization using OES PEP, PDP


Architecture – R2 Security Model

Admin Role Memberships & Publication


• The new authorization model works on the basis of the admin role assignment to a user.

• Admin Roles are predefined

• Admin roles cannot be created, updated, deleted or requested.

• Resides in OIM DB. No LDAP Sync.

• Two Types of Admin Roles – Global and Scoped

• Admin Roles: System-Wide/Global – Assigned in scope of Top org only.

• Catalog Administrator Role

• Manage catalog metadata and request profile

• System Administrator Role

• All permissions, no approval required

• System Configurator Role

• All permissions on system configuration, no approval required.

• SPML Administrator Role

• Manage SPML request related.

Security Model - Admin Roles


• Admin Roles: Assigned in the scope of Organizations – Any org including Top

• [Entity] Admin Role

• Can manage the entire lifecycle of the entity and perform any operation on the entity.

• [Entity] Authorizer Role

• Can view the entity in the catalog or request profiles and request for it, but does not require approval.

• [Entity] Viewer Role

• Required to view the entity in UI



• Admin role membership organization scoping is hierarchy-aware, and can be cascaded

downwards to the child organizations.

• Admin role membership is always given in an organization scope, and can only be assigned by

the System Administrator or Organization Administrator with in the Organization.

• System Configuration Administrator can’t assign admin roles.

• Admin Roles do not have auto-group membership or role membership rule

• Each admin role in Oracle Identity Manager has one-to-one mapping to the application roles in

the OES.

• The application roles have associated policies that govern what permissions are allowed for

users who belong to this role. Changing the functional and data constraints on these policies,

you must open the respective policy in Authorization Policy Management (APM) UI in OES, and

modify the policy



• Inherent permissions: The organization to which a user is a member is referred as the Home

organization for that user. A user has implicit view permissions on the entities available to the

Home and Dynamic organizations.

• Management hierarchy: If User A is the manager of User B and User C, then User A has

implicit permissions on User B and User C, even if User B and User C are in different

organizations. User A does not need explicit privileges on the direct reports, irrespective of

which organization the direct reports belong.

• Implicit permissions are assigned based on Home Organization, Dynamic Organization and

Admin Role membership.

• For Example – User Administrator Role has Org Viewer, Role Viewer, Entitlement Viewer,

AppInstance Viewer implicit permissions.

• Basic-info permissions gives the permission only to view-search the given entity.

• Examples : The User Viewer admin role provides the basic info permission on roles,

organizations, application instances, and entitlements in that scoped organization.




Global Admin Roles only available in the context of

TOP org

Top Org Non Top Org

Only scoped Admin Roles available


Security Model - Admin Roles Admin Role Display Name Description

OrclOIMSystemAdministrator ** System Administrator OIM System Administrator Role with All Privileges

OrclOIMSystemConfigurator ** System Configuration Administrator Role with privileges to configure OIM application

OrclOIMCatalogAdmin ** Catalog System Administrator Role can administer all the catalog items

OrclOIMRoleAdministrator Role Administrator Role can manage all assigned enterprise roles

OrclOIMRoleAuthorizer Role Authorizer Role can authorize assigned enterprise roles

OrclOIMRoleViewer Role Viewer Role can view assigned enterprise roles.

OrclOIMEntitlementAdministrator Entitlement Administrator Entitlement administrator

OrclOIMEntitlementAuthorizer Entitlement Authorizer Entitlement authorizer

OrclOIMEntitlementViewer Entitlement Viewer Role can view assigned entitlements.

OrclOIMApplicationInstanceAdministratorRole Application Instance Administrator Role can manage assigned application instances.

OrclOIMApplicationInstanceAuthorizerRole Application Instance Authorizer Role with authorizations on assigned application instances.

OrclOIMApplicationInstanceViewerRole Application Instance Viewer Role can view assigned application instances.

OrclOIMOrgAdministrator Organization Administrator Role can manage assigned organizations.

OrclOIMOrgViewer Organization Viewer Role can view assigned organizations.

OrclOIMUserAdmin User Administrator Role can manage assigned set of users.

OrclOIMUserHelpDesk HelpDesk HelpDesk to manage users

OrclOIMUserViewer User Viewer Role can view assigned user records.

OrclOIMSPMLAdmin ** SPML Admin SPML Admin to manage SPML.

OrclOIMCertificationAdministrator ** Certification Administrator Role can manage certification process

** denotes the Global Admin roles


Security Model - Admin Roles Admin Roles for User Entity

Role Function Security Scoping Rules

User Admin Create User

Delete User

Get user in search results

View User (requires attribute-level security)

Modify User attributes (includes updating the organization attribute of a user in Standard Edition). Requires attribute-level security

Enable User

Disable User

Unlock User

Change User Password

Change Password in Application Instance

Grant/ Revoke Roles

Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances

Grant/ Revoke Entitlements

1) I can perform the functions (given in Function Security)

on users that are in the orgs that I am allowed to

manage.

2) I can only perform the functions on user attributes for

which I have access

Helpdesk Admin Get user in search results


Enable User

Disable User

Unlock User

Change User Password

Change Password in Application Instance

User Viewer Create User through Request

Delete User through Request

Get user in search results


Modify User attributes (includes updating the organization attribute of a user) through Request. Requires attribute-level security

Enable User through Request

Disable User through Request

Grant/ Revoke Roles through Request

Provision/ Deprovision/ Modify/ Enable/ Disable Application Instances through Request

Grant/ Revoke Entitlements through Request

Any and All Users (Any OIM users,

All Users is not a role)

Self Modify user profile

Self Change Passwords/ Challenge Questions

Raise Request for self

For self only


Security Model - Admin Roles Admin Roles for Role Entity

Role Admin Create Role

View Role

Update Role attributes

Delete Role

View Role Members

Create Role Category

Update Role Category

Delete Role Category

Manage Role Hierarchy

Publish role to a set of organizations (in this context, data security applies)

1) I can publish the role to the orgs

that I am allowed to manage

2) I can manage the Roles that are

published to my org

3) I can manage the Roles that are

published to org(s) that I can

manage

Role Viewer View Role in search results

View role attributes

Request Role grant/ revoke for users

I can perform functions on Roles that

have been published to orgs that I am

allowed to manage

Role Authorizer View Role in search results

View role attributes

View Role Members

Request Role grant/ revoke for users

No approval needed

I can perform functions on Roles that

have been published to orgs that I am

allowed to manage


Security Model - Admin Roles Admin Roles for Organization Entity Organization

Admin

Create Organization

View and Manage (Update) Organization attributes

Delete Organization

All Role Admin Privileges for Admin Roles.

Update Organization Hierarchy (for a specific organization)

Update organization attributes (of a specific organization)

I can perform functions on

organizations that I am

allowed to manage

Organization

Viewer

Get organization in search results

View organization and organization attributes

I can perform functions on

organizations that I am

allowed to manage


Security Model - Admin Roles Admin Roles for Entitlement Entity

Entitlement Admin Publish Entitlements available to a set of organizations (in this context, data security applies)

View Entitlement Members

1) I can publish the Entitlements to the

orgs that I am allowed to manage

2) I can manage the entitlements that are

published to org(s) that I can manage

Entitlement Authorizer View Entitlement in search results

View Entitlement attributes

View Entitlement Members

Request Entitlement grant/ revoke for users

No approval needed

I can perform functions on entitlements that

have been published to org(s) that I am

allowed to manage

Entitlement Viewer View Entitlement in search results

View Entitlement attributes

Request Entitlement grant/ revoke for users

I can perform functions on entitlements that

have been published to org(s) that I am

allowed to manage


Security Model - Admin Roles Admin Roles for Application Instance

Application Instance

Authorizer

View Application Instance in search results

View Application Instance attributes (excluding passwords)

Request to provision of account in Application instance

Request to de-provision of account in Application instance

Request to modify of account in Application instance

Request for enable of account in Application instance

Request for disable of account in Application instance

View accounts

No approval needed

I can perform functions on Application

Instances that have been published to orgs

that I am allowed manage


Viewer

View Application Instance in search results

View Application Instance attributes (excluding passwords)

Request to provision of account in Application instance

Request to de-provision of account in Application instance

Request to modify of account in Application instance

Request for enable of account in Application instance

Request for disable of account in Application instance

I can perform functions on Application

Instances that have been published to orgs

that I am allowed manage


Admin

Create Application instance

Create Resource Object

Modify Application instance

Modify Resource Object

Delete Application instance

Delete Resource Object

View accounts

Publish Application Instance available to a set of organizations (in this context, data security applies)

1) I can publish the Application Instance

to the orgs that I am allowed to

manage

2) I can manage the Application Instance

that are published to org(s) that I can

manage


Security Model - Admin Roles Admin Roles for Certification and Catalog entities

Certification

Administrator *

View Certification Configuration

Update Certification Configuration

Update Certification

View/manage scheduled Jobs

Create/View/Modify/Delete/Run Jobs

View Certification

View User Admin Role

View User Entitlements

View Requests

View User Accounts

View User Roles

Start /Stop Scheduler

Create/modify/delete Trigger

Add /modify/delete Task

Certification Viewer* View Certification The only permission explicitly granted to the

Certification Viewer admin role is View

Certification. Permissions to view other entities

are dynamically granted and scoped to those

entities referenced in a certification.

Catalog Admin Edit Catalog metadata

Create Request Profiles

Modify Request Profiles

Delete Request Profiles

*Introduced in 11gR2PS1


Admin Role Memberships

• Admin role membership defines the relationship between a user and an admin role in the context of an org.

• Admin role memberships are hierarchy aware, that means that a user having a admin role at parent org can also act with the same admin role in the child org too if hierarchy flag is set to true.

• Can be viewed from the context of an org OR from the context of a user.


Admin Role Membership Entity Lifecycle

Active Deleted

Non-Existent

Create

Delete

Modify


Creating Admin Roles Memberships

Click Assign

1. Search User

2. Select & click “Add Selected”

3. Click Add

Role Admin assigned to User FOO


View Admin Roles Memberships

From Org context

From User context


Entity Publication

• Publication is the way of making an entity available to an org.

• Role, App Instance, and Entitlement can be published by respective administrators from the entity details screen.

• Publication is hierarchy aware, so an entity can be made visible to child orgs too, though its actually published to parent org.

• Auto Publish :When an entity administrator creates an entity, then that entity is automatically made available to all the organizations for which the administrator has entity admin role. For example, when a user with Role Administrator privilege creates an enterprise role, the newly created role is automatically made available to all the organizations on which the user is the Role Administrator.

• Publishes dependent data too: The publishing service also supports publishing of dependent data (like entitlements for app-instance), when the parent entity is published.


Entity Publication – Organization scoping

• Organization in OIM will ONLY be used for security purposes. It is NOT an enterprise organization, not an LDAP organization unit or organization.

• Data security using organization scoping uses following principal:

• Data is secured by confining its availability only in a set of organizations. (Publishing)

• User is assigned permissions over an organization by assigning admin role in that organization scope (Delegation/Delegated admins)

• If the organization where user has set of permissions and the organization where entity is published match, then user is allowed to perform operations as per the user’s admin roles.

• Both publishing and admin role memberships are organization hierarchy aware.

User’s admin-role memberships in

organizations

Entities available in organizations


Publication Entity Lifecycle

Active Deleted

Non-Existent

Create

Delete

Modify

Please Note : The life-cycle of publication entity is separate from the actual entity (like role etc) life cycle itself. However when the entity is deleted, the actual publication also gets deleted.


Create a Role

Since the role was created by System Admin it got auto

published to Top Org

To manually publish . Click Assign

1. Search Org

2. Select & click “Add Selected”

3. Click Ok Role published to org

Add Entity Publications


View Entity Publications

From Org context

From Entity context


• Policy -> Principle + Target + Allowed Actions + Conditions +

Obligations

• Principle -> Admin Role/User for which policy is evaluated

• Target – Entity (user, role, appinstance, entitlement, taskflow etc)

• Actions - Allowed Actions on the target (View, Create, Update, render

etc).

• Conditions –> Logic based on which policy is evaluated

• Obligations –> Define/Restrict scope in action

• Requestable or Direct

• Attribute allowed or Denied

Authorization Policy Concepts


• The attribute level security is only implemented for user attributes.

• All the authorization policies are configured to show all the attributes of

a user by default.

• To restrict the list of attributes to be viewed by the User Viewer role or

restrict the list of attributes to be viewed and edited by User Admin

Roles, it is proposed to include the list of attributes to be restricted in the

deny attribute list of the respective policy in OES APM UI

• Use authorization plug-in to pass additional contextual information for

policy evaluation

Enhanced Security Architecture Attribute Security


Authorization Policies for User management

Management Hierarchy



Home Org (peer permissioning)`



Authenticated Self Service


• Policies for Management hierarchy

• Policies for peer permissioning (Home Org)

• Policies for authenticated self-service

• Policies for admin-roles(User Admin, User Viewer, SPML-Admin & HelpDesk)

• Policies for basic-info related permission and for the request-context.

• Deny policy for System Configuration role.



• Policies for peer permissionning (Home Org)

• Policies on the basis of the assignment

• Policies for admin-roles(Role Admin, Role Viewer, SPML-Admin, Catalog-Admin & Role Authorizer)


• Deny policy for System-Config role, Except for view & search.

Authorization Policies for Role management



• Policies for admin-roles(Org Admin, Org Viewer)

• Policies for basic-info related permission.


Authorization Policies for Organization management




• Policies for admin-roles(Entitlement Admin, Entitlement Viewer, Catalog-Admin & Entitlement Authorizer)



Authorization Policies for Entitlement management




• Policies for admin-roles(AppInstance Admin, AppInstance Viewer, Catalog-Admin & AppInstance Authorizer)



Authorization Policies for Application Instance management


• We have various policies defined for System Configuration and they don't have any data-scoping for Scheduler/Notification & so on.

• Note: There are no authorization policies defied for the System administrator role, All the actions are allowed for user having the system admin role.

Authorization Policies defined for the System Configuration


• User Management

• Role Management

• Organization Management

• Application Instance

• Entitlement

• Entity Configuration

• Reconciliation Management

• Scheduler

• Approval Policy Management

• Notification Management

• System Properties

• Diagnostic Dashboard

• Plug In Framework

• Authenticated User Self Service

Authorization Policy Enforcement Points


• Create/Update/Delete Access Policies

• Add/Modify/Remove Lookup

• Import/Export using Deployment Manager

• Attestation Administration

Permissions not governed by OES Policies


• Security Policies for Function & Data

• Who can request what from catalog?

• Who can request for which beneficiaries?

• Who is authorized to have what?

• “Actor” checks in UI and “Beneficiary” checks in the back-end

• Approval Workflows: Separate from security policies

• Which requests need manual approval and which are auto

approved?

• Who all need to approve the request?

Catalog Security


• Customer wants to implement two User Administration levels.

• First one is the default User Administration admin role defined in OIM.

• The second one does not allow User Administration:

• to create and remove users

• to view, add, delete and modify admin roles

• to disable and change password from user accounts

• to add and delete user roles

if he/she is part of ADMINISTRADOR_DELEGADO OIM Role.

Authorization Plug-In - Usecase


1. Create an OIM Role called “ADMINISTRADOR_DELEGADO”.

2. Create an Attribute in APM to manage the validation response from authorization plug-

in.

3. Create an Attribute Resolver plug-in to check the logged user’s OIM role membership.

4. Create an Authorization Policy in APM to deny some privileges from OIM User Admin

principal. The Authority Policy’s condition makes reference to the Attribute created on

step 2 and compares it with a string constant.

Authorization Plug-In - Solution


Create an Attribute in APM

• Go to Applications -> OIM -

> Extensions -> Attributes

(double click)

• Press “New” icon

• Fill the data.



Create an Authorization

Policy in APM

• Go to Applications -> OIM -

> OIMDomain ->

Authorization Policies

(double click)

•

• Press “New” icon

• Fill the data.



Create an Attribute Resolver Plug in

• Use oracle.iam.platform.authopss.plugin.AttributeResolver plug-in point to pass the

attributes to OES for policy evaluation.

• To add a new attribute to be used in policies (condition), add the attributes in a Map by using

the following methods.

public class ResolveResourceUserTypeAttribute implements AttributeResolver{

public Map<String, Object> resolveResourceAttributes(String subjectId, PolicyConstants.Resources

resourceType, String resourceId)

{

//To resolve the attributes of the target entity on which the logged-in user is working:

}

public Map<String, Object> resolveSubjectAttributes(String subjectId, PolicyConstants.Resources resourceType)

{

//To resolve the attributes related to logged-in user:

}

}



Create an Attribute Resolver Plug in

• Use oracle.iam.platform.authopss.plugin.AttributeResolver plug-in point to pass the

attributes to OES for policy evaluation.

• To add a new attribute to be used in policies (condition), add the attributes in a Map by using

the following methods.

public class ResolveResourceUserTypeAttribute implements AttributeResolver{

public Map<String, Object> resolveResourceAttributes(String subjectId, PolicyConstants.Resources

resourceType, String resourceId)

{

//To resolve the attributes of the target entity on which the logged-in user is working:

}

public Map<String, Object> resolveSubjectAttributes(String subjectId, PolicyConstants.Resources resourceType)

{

//To resolve the attributes related to logged-in user:

}

}



Registre the Plug-in

<?xml version="1.0" encoding="UTF-8"?>

<oimplugins>

<plugins pluginpoint="oracle.iam.platform.authopss.plugin.AttributeResolver">

<plugin pluginclass= "dgp.oim.plugin.security.ResolveResourceUserTypeAttribute"

version="1.2“ name="CNPResolveResourceUserTypeAttribute">

</plugin>

</plugins>

</oimplugins>



• Function Security

• Who can perform what actions?

• Tool: OES/APM

• Customizable: Customers can change OOB seeded security policies

• Data Security

• Who can perform actions on what data?

• Tool: OIM Admin Role Assignment

• Data Scoping

• Data is secured by publishing it to a set of orgs

• Admin Roles are assigned in the scope of an organization

• Users with “admin roles” in an org can perform allowed functions on data published to that

org

• Both publishing and delegation are organization hierarchy aware

Enhanced Security Architecture


• OIM Self Service console will have ADF security enabled. Which means access to all

task-flows and page definitions is governed by ADF Security policies defined in the

JAZN file.

• All OOTB OIM task-flows must be protected by defining them as a resource and

adding them in JAZN file with appropriate permissions to application roles. There are

two special roles, authenticated-user and anonymous-user.

• If logged in user does not have permission to perform an action as per his admin roles,

then the action (menu, button, or link) will be either disabled or not visible to the user in

the UI. This is enforced by using EL scripts in the ADF UI. As an example, to check if

user has permission to create a user, the EL script is as follows:

<af:commandNavigationItem rendered=”#{oimuser.create.allowed}” />

Enhanced Security Architecture Functional Security

Oracle Proprietary and Confidential © 2011 Page 50 Oracle Internal Use Only


Documents

Oracle Identity Manager 11gR2-PS2 Hands-on Workshop …download.oracle.com/opndocs/global/OIM-R2-PS2/... · Oracle Identity Manager 11gR2-PS2 Hands-on Workshop Tech Deep Dive –