Security

Authentication

OIPA performs user authentication for both interactive users using Internet browser to access the system and web service calls. The users are prompted to provide a user name and password on the application's login page; these are then sent to the server. The web services are protected with the WS-Security that requires incoming web service calls to carry a security header with the user name and password. The password can be sent as a digest or as a text.

Both web service and user authentication is implemented through the same authentication service provided by the business logic tier of the OIPA application. The authentication service retrieves a matching user record from the OIPA database that contains basic user information and a secure digest of a password. The password digest is then compared to the digest of the incoming password and an authentication decision is made based on the result of the comparison. User records in the OIPA database are usually created by the Rules Palette.

Using OIPA extensions, it is possible to implement alternative methods of user authentication to satisfy specific security requirements of a particular customer.

User Privileges and Role-Based Security

The OIPA user privileges and access restrictions implementation is based on the role-based access control (RBAC) model. According to this model, user permissions are assigned to specific roles or groups that are created for various job functions. A user that is assigned particular roles, gains through those roles permissions to perform particular system functions. A user may belong to multiple groups that result in access granted to all resources authorized across the groups the user belongs to.

For example, users that are assigned to the CSR group (or have the CSR role) may not be able to execute such activities as issuing a policy or paying a death benefit. An Underwriter should be able to issue a policy. An administrator group is usually allowed access to all resources.

The following diagram shows what application resources are protected by the OIPA security:

 

 

 

 

 

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. About Oracle Insurance | Contact Us