| Oracle® Access Manager Access Administration Guide 10g (10.1.4.3) Part Number E12488-01 |
|
|
View PDF |
| Oracle® Access Manager Access Administration Guide 10g (10.1.4.3) Part Number E12488-01 |
|
|
View PDF |
This chapter explains how to assign Access System administrators and manage other server settings. Included here are the following topics:
For more information about managing the Access System, see:
Oracle Access Manager 10.1.4 should be installed and set up as described in the Oracle Access Manager Installation Guide. The Oracle Access Manager Introduction provides an overview of Oracle Access Manager not found in other manuals. Also, familiarize yourself with the Oracle Access Manager Identity and Common Administration Guide, which provides a brief review of Access System applications and installation and describes functions that are common to the Access and Identity Systems, including defining logging, auditing, and password policies.
The Access System enables the protection of online resources by enforcing policy-based authentication and authorization rules. The Access System also enables Web single sign-on.
In addition to the Master Administrator, there are two types of administrators who can configure and manage the Access System:
Master Access Administrators: These administrators have the right to perform any task in the Access System except the right to create other Master Access Administrators.
Delegated Access Administrators: These administrators only have the right to perform tasks that a Master Access Administrator delegates to them.
Table 2-1 summarizes the privileges of these types of administrators. Master Access Administrators automatically have these privileges while Delegated Access Administrators must be explicitly granted these privileges:
Table 2-1 Table of Administrative Privileges
| Privilege | Description | Who Performs This Task |
|---|---|---|
|
Create a cryptographic key that encrypts single sign-on cookies. See "Creating a Shared Secret Key". |
Master Access Administrator |
|
|
Configure the Master Audit Rule |
The Access System will not log any audit information to the audit log file until a Master Audit Rule exists. See "About the Master Audit Rule". For more information about logging, see Oracle Access Manager Identity and Common Administration Guide. |
Master Access Administrator |
|
Master Access Administrator |
||
|
View, create, and configure one or more instances of an AccessGate. See "Configuring AccessGates and WebGates". |
Master or Delegated Access Administrator |
|
|
Manage Access Servers |
Configure an Access Server to communicate with AccessGates and a directory server. See "Configuring Access Servers". |
Master or Delegated Access Administrator |
|
Master or Delegated Access Administrator |
||
|
Manage Authentication Schemes |
Authentication is the process of proving that a user is who he or she claims to be. See Chapter 5, "Configuring User Authentication". |
Master or Delegated Access Administrator |
|
Manage Authorization Schemes |
Authorization is the process of determining if a user has the right to access a requested resource. See Chapter 6, "Configuring User Authorization". |
Master or Delegated Access Administrator |
|
Identify the names by which users can identify a host. See "Configuring Preferred HTTP Hosts, Host Identifiers, and Virtual Web Hosts". |
Master or Delegated Access Administrator |
|
|
Manage Resource Type definitions |
Define the kind of resource to be protected, including its associated operations. See "Default Resource Types". |
Master or Delegated Access Administrator |
|
Manage User Configuration |
Create and modify a list of users who are prohibited from accessing any of your resources and flush these users from the cache. See "About Access System Configuration and Management". |
Master or Delegated Access Administrator |
The following sections describe how to configure these administrators and delegate administrative tasks. You complete these tasks using the Access System Console, System Configuration function.
Note:
Delegating administrative responsibilities for a policy domain is somewhat different from the delegation of other responsibilities. See "Delegating Policy Domain Administration" for details.Only Master Administrators can create Master Access Administrators. A Master Access Administrator can perform any function in the Access System except for creating other Master Access Administrators, and can delegate administrative functions.
Note:
You must be a Master Access Administrator to create a shared secret key that encrypts single sign-on cookies. You should generate a cryptographic key as soon as possible after installing Oracle Access Manager, otherwise a less secure default is used. See "Creating a Shared Secret Key".To add a Master Access Administrator
From the Access System Console, select System Configuration, then click the Administrators link in the left navigation pane.
The Configure Administrators page lists current Master Access Administrators.
Click the Master Access Administrators link.
The Modify Master Access Administrators page appears.
Click Select User.
A page appears that contains search fields.
Use the search fields to select the people that you want.
The search fields consist of attributes that you want to search, search criteria such as "contains," and search strings or partial strings. Select the number of search results that you want to view at a time and click Go.
Click Done to return to the Modify Master Access Administrators page.
The names of any new people you chose using the Selector are displayed in the Modify Master Access Administrators page.
Use the checkboxes to deselect any names that you need to remove from your list.
Review your selections to ensure that your list is complete.
Click Save to save the changes (or Cancel to exit without changing).
When the responsibility for managing the Access System falls on a few people, you may want these people to appoint others to share the work. People currently responsible for resources generally know best to whom to delegate responsibility. The ability to delegate Access System administration to other people enables you to scale administration of your resources, empowering those closest to the resources and most knowledgeable about them to manage them.
A Master Access Administrator can create a group of users and assign administrative rights to the group. The Master Access Administrator can assign the same administrative rights to multiple groups. For example, Group1 and Group2 can both be assigned the right to manage Access Servers.
The following functions can be delegated:
Add, modify, delete Access Server configurations.
Add, modify, delete Access Server clusters.
Add, modify, delete authentication schemes.
Modify the revoked user list.
To manage the revoked user list, a delegated administrator must have access to the searchbase containing the entry for the user and must have appropriate attribute read permissions.
You can add a user to multiple groups. For example, if you create one group of Delegated Administrators to manage authentication schemes and authorization schemes, and another group to manage Access Servers and Access Server clusters, the same user can belong to both groups.
When an administrator performs certain tasks, Oracle Access Manager creates an informational log. See the Oracle Access Manager Identity and Common Administration Guide for details.
Policy domain administration can also be delegated. See "Delegating Policy Domain Administration" on page 4-46 for details.
Note:
A delegated administrator can be assigned to a resource type before any host IDs are set. However, if the host IDs are defined at a later time, the delegated administrator will no longer be able to add resources to the policy domain. The Master Administrator will need to reassign the delegated administrator to a policy domain that has the associated host identifier to enable the delegated administrator to add resources to that domain.The following procedure illustrates how to add Delegated Administrators to the Access System.
To create a group of Delegated Access Administrators
From the Access System Console, click System Configuration, then click the Administrators link in the left navigation pane.
The Configure Administrators page appears.
Under the title Groups of Delegated Administrators, click the Add button.
The Create a New Group of Delegated Administrators page appears. You can complete all information requested or create an empty group with no administrative rights or members.
Provide the information requested.
For example:
Name: A name for this group
Description: Optional description
Administrative Rights: Select the rights you want to give to this group
Click the Select User button, beside the Members label, to display the Selector.
Use the Selector to add people to this group, then click Done when you are finished to return to the Create a new group of Delegated Administrators page.
Click Save to complete the process.
The following procedure illustrates how to alter a group of Delegated Administrators in the Access System.
To modify a group of delegated administrators
From the Access System Console, click the System Configuration tab, then click the Administrators link in the left navigation pane.
Click the link for the group to modify.
The Modify Group of Delegated Administrators page appears.
Click Modify.
The page changes to show editable fields for group name, description, and so on.
Make your changes and click Save.
The Access System Console, System Configuration function, enables you to view and alter Access Server and directory server settings, configure an SSO Logout URL, and configure email addresses for user feedback. The following topics are covered:
Note:
Only Master Administrators can alter these settings.You use the Access System Console to view server settings for items such as email addresses, directory servers, and the SSO logout URL.
Launch the Access System Console.
Click System Configuration, then select Server settings.
The View Server Settings page appears.
You use the Customize Email function to specify email addresses for user feedback.
The end user accesses email addresses by clicking the About link at the top of the page, then clicking Submit Admin Feedback or Submit Oracle Feedback.
In the Access System Console, click System Configuration, then select Server settings.
The View Server Settings page appears.
Click Customize Email to display this page.
Type email addresses in the following fields:
| Address | Description |
|---|---|
| Email address for Bug Reports | This address must be changed to be sent to a person or alias in your organization. This person or department can either solve the problem or contact Oracle for help. |
| Email address for User Feedback | When a user submits an Oracle Feedback form, the data is sent to the address specified. The default is feedback@Oracle.com. |
| Webmaster's Email address | When a user submits an Admin Feedback form, the data is sent to the address specified. The default is webmaster@company.com. |
Click Save to save your changes (or Cancel to exit without saving).
Restart your Web server.
Single sign-on (SSO) is the ability to access multiple resources with a single login. The Access System performs single sign-on for users by setting an ObSSOCookie for each user or application that accesses a resource protected by the Access System. The ObSSOCookie enables users to access other resources protected by the Access System that have the same or a lower authentication level. See Chapter 7, "Configuring Single Sign-On" for details.
You can configure a single sign-on logout URL and an associated logout page to remove the ObSSOCookie. This forces the user to re-authenticate the next time he or she accesses a resource protected with the Access System.
Oracle provides a logout.html page that is presented to users upon logout and that runs the function that removes session cookies. This form is located in:
PolicyManager_install_dir/access/oblix/lang/en-us/logout.html
For information on configuring this logout page or creating a custom one, see "Configuring Logout". This section only discusses the logout URL.
If you have multiple languages installed, you can configure the Oracle Access Manager single sign-on logout URL to point to a logout.html file in the language of the user's browser. To configure the logout URL, you provide the %lang% parameter in the single sign-on logout URL. Access Manager replaces %lang% with the browser's language at run time.
Note:
If you use the Basic Over LDAP authentication scheme on some versions of Internet Explorer, you may experience unexpected results with the single sign-on logout URL. Internet Explorer caches user credentials when a Basic Over LDAP authentication scheme is used. For some versions of Internet Explorer, this means that users can continue to access resources after logging out. If you experience this problem with the single sign-on logout URL, Oracle recommends that you use a Form over LDAP authentication scheme.To configure the SSO Logout URL
In the Access System Console, click System Configuration.
Click Server Settings in the left navigation pane.
Click the Configure SSO Logout URL link.
The following page appears.
Choose the option you want:
If you use a third-party program for logging users out, select No SSO Logout URL
If you want to have the Identity System and Access System automatically call this page when the user clicks Logout, select URL.
Note:
You must manually create a link to this logout.html page from other resources that are protected by the Access System. Create the link on the pages that you want to contain the logout feature.Click Save.
Flush the Access Server cache after changing the SSO Logout value.
See "Automatic Access System Cache Flush" for more information.
Flush the Identity Server cache after changing the SSO Logout value.
For more information about managing Identity Server caches, see the Oracle Access Manager Identity and Common Administration Guide and the Oracle Access Manager Deployment Guide.
You use the Directory Server Configuration page to modify various directory server settings using the Access System Console. This is similar to modifying Directory Server details using the Identity System Console, as discussed in the Oracle Access Manager Identity and Common Administration Guide. Directory server details available in the Access System Console include those for configuration data and policy data.
To configure the directory server
From the Access System Console, click System Configuration, then click Server settings.
The View Server Settings page appears.
Click the Directory Server link.
The Directory Server Configuration page appears. Notice that the page is divided into two areas: one for configuration data and one for policy data. The configuration base and policy base on this page cannot be changed.
The configuration base identifies the location of all Oracle Access Manager-specific information. You cannot change this information. The Policy Base identifies the location in the DIT under which all Access System policy data is stored, which you cannot change.
Note:
If you change the information in any field marked with an asterisk (*), you must repeat product setup as described in the Oracle Access Manager Identity and Common Administration Guide.Specify configuration information for configuration data, as shown in the following table.
| Field | Description |
|---|---|
| Machine(*) | Name or IP address of the computer where the directory server managing the user data, configuration data, or policy data is installed |
| Port Number(*) | Port number of the directory server managing the user data, configuration data, or policy data is listening |
| Root DN(*) | Root DN of the directory server |
| Root Password | Root password of the directory server |
| Directory Server SecurityMode(*) | Security mode the directory server uses to protect its communications |
Specify configuration information for Policy data, as shown in the previous table.
Click Save to save your changes (or Cancel to exit without saving).
|
 Copyright © 2000, 2009, Oracle. All rights reserved. Legal Notices |
|
