Student Guide - Oracle Identity Analytics 11gR1 Administration

Enterprise Role Management 1-14 Enterprise Role Management Categories 1-15 Oracle Identity Analytics 1-17 Oracle Identity Analytics Features 1-18 Practice 1 Overview: Installing the Soft

Trang 1

Oracle Identity Analytics 11gR1:

AdministrationStudent Guide

D68340GC20

Edition 2.0

December 2010

D71223

Trang 2

Disclaimer

This document contains proprietary information and is protected by copyright and other intellectual property laws You may copy and print this document solely for your own use in an Oracle training course The document may not be modified or altered

in any way Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice If you find any problems in the document, please report them in writing to: Oracle University,

500 Oracle Parkway, Redwood Shores, California 94065 USA This document is not warranted to be error-free.

Restricted Rights Notice

If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:

U.S GOVERNMENT RIGHTS The U.S Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S Government contract

Trang 3

Enterprise Role Management 1-14

Enterprise Role Management Categories 1-15 Oracle Identity Analytics 1-17

Oracle Identity Analytics Features 1-18

Practice 1 Overview: Installing the Software 1-31

2 Building the Identity Warehouse

Trang 4

Applications 2-17

Resources 2-18

Attributes 2-19

Populating the Identity Warehouse 2-20

Populating Data Manually 2-21

Adding Additional Data Elements 2-22

Importing Data (Bulk Load of Data) 2-23

Configuring a Provisioning Server 2-24

Provisioning Server Parameters 2-25

Importing from File Processing 2-27

Importing from File: Rules 2-29

Debugging Import Errors 2-30

Debugging Import Errors Exception 2-31

Job Scheduling 2-32

Job Scheduling Through the GUI 2-33

Job Scheduling Through Direct Edit 2-34

Database Entries for Job Scheduling 2-37

Summary 2-39

Practice 2 Overview: Importing and Setting Up Identity Warehousing 2-40

3 Configuring Security

Objectives 3-2

Oracle Identity Analytics Users (OIA Users) 3-3

Oracle Identity Analytics Roles (OIA Roles) 3-5

OIA Role Creation 3-7

OIA Role Visibility 3-8

OIA Users/Roles Database Tables 3-9

Proxy Assignments 3-10

Alternate Credential Store 3-11

Summary 3-12

Practice 3 Overview: Configuring Security 3-13

4 Configuring Identity Certification

Trang 5

Policy Violation States 5-13

Audit Policy Actions 5-14

Job Scheduling 5-15

Event Listeners 5-16

Summary 5-17

Practice 5 Overview: Configuring Auditing 5-18

6 Performing Role Mining

Objectives 6-2

Role Management 6-3

Role Mining (Role Discovery) 6-4

Approaches to Role Mining 6-5

The Wave Methodology 6-7

The Wave Methodology (Step 1 of 7) 6-8

Trang 6

The Wave Methodology (Step 7 of 7) 6-19 Accessing Role Mining 6-21

Performing Role Mining 6-22

Role Mining: Minable Attributes 6-23

Role Mining: General Information 6-25 Role Mining: User Selection 6-26

Role Mining: Basic Parameters 6-27

Role Mining: Advanced Parameters 6-28 Role Mining: Preview 6-30

Role Mining: Execution 6-31

Role Mining: Users In Roles 6-32

Role Mining: Classification Rules 6-33 Role Mining: Mining Statistics 6-34

Role Mining: Roles 6-35

Role Mining: Role Mining Reports 6-37 Entitlements Discovery 6-38

Accessing Entitlements Discovery 6-39 Performing Entitlements Discovery 6-40 Entitlements Discovery: Strategy 6-41 Entitlements Discovery: Role/Users 6-42 Entitlements Discovery: Entitlements 6-43 Entitlements Discovery: Verification 6-45 Best Practices 6-46

Summary 6-47

Practice 6 Overview: Role Engineering 6-48

7 Performing Role Lifecycle Management

Objectives 7-2

Role Management Activities 7-3

Role Lifecycle Management 7-4

Role Engineering (Definition) 7-5

Role Maintenance (Refinement) 7-6

Examples of Change Events 7-7

Role Certification (Verification) 7-8

Workflows 7-9

Default Workflows 7-10

Trang 7

Business Structure Reports 8-7

Business Structure Roles Report 8-8

Creating Custom Reports 8-9

Executing Custom Reports 8-11

Summary 8-12

Practice 8 Overview: Generating Reports 8-13

Trang 9

Introducing Oracle Identity Analytics 11gR1

Trang 10

Objectives

After completing this lesson, you should be able to:

• How are regulatory compliance mandates affecting companies today?

• How are companies dealing with compliance?

• What is a role and how can role-based access control solutions help achieve compliance?

• What is the difference between a role management solution and a user provisioning solution?

Trang 11

Organizational Pressures

Companies face multiple, multifaceted business challenges in which the management of

employees’ and partners’ access to enterprise resources is vital Foremost among these is the challenge of complying with an ever-growing number of regulations that govern the integrity and privacy of enterprise data With the need to protect data comes the need to closely manage access to it This involves knowing at all times who has access to corporate resources and whether their access is appropriate Companies then need to provide documentation of this information in the event of an audit

Compliance is not the only challenge in today’s enterprise Even more critical is the need to operate an agile business that can respond quickly and competitively to business opportunities and competitive threats Operating such a business while remaining compliant is a tall order A major concern is how to achieve a balance between implementing new functionality while managing risk and still keep costs under control Companies are looking to spend “just enough”

to pass an audit and lower their risk Companies want to reduce existing costs associated with audits while still making the process more efficient, accurate, and repeatable, thereby balancing their efforts

or detect inside threats

regulatory compliance

How can you achieve an acceptable balance between

functionality, risk, and cost?

Security:

Minimize Risk

Improve Quality of Service European

Data Protection Directive

Health Insurance Portability &

Acct Act (HIPAA)

Leach- Bliley Act

Trang 12

Gramm-Controlling System Access

Studies have shown that 70 percent of all security threats are caused by insiders (employees or contractors) This number consists of breaches that were caused by employees with malicious intentions, as well as by well-intentioned personnel who simply made mistakes Irrespective of the nature of the breach, companies must control access to system resources in order to

protect their business, corporate information, or even trade secrets

Concerns about threats from insiders fall into three main categories:

• Loss of Business Continuity

Disruptive events such as hardware failures, an act of nature such as a flood, or even denial-of-service attacks impact a company’s ability to maintain business flow When such

an event occurs, companies face large losses because they are not able to process orders or access vital resources

• Loss of Trade Secrets

Companies have a responsibility to their shareholders, employees, and customers to

Controlling System Access

– Loss of business continuity

– Loss of trade secrets

– Loss of sensitive customer or employee data

– The Sarbanes-Oxley Act of 2002

– The Graham-Leach-Bliley Act

– The Health Insurance Portability and Accountability Act

– The Payment Card Industry Data Security Standard

Trang 13

Controlling System Access (continued)

• Loss of Sensitive Customer or Employee Data

Protection of customer or employee data is one of the main drivers of regulatory

compliance, and companies have a fiduciary responsibility to protect this information However, more and more companies are making headlines as sensitive personal

information is stolen, lost, or inadvertently published to corporate Web sites Companies realize they need adequate access control practices to reduce these risks

In addition to insider threats, companies are forced to comply with one or more regulations that require a review of access and access control processes In essence, companies are being forced into compliance Regardless of whether a company must adhere to SOX/Cobit, PCI, HIPAA, GLBA, or Basel II, it needs to understand the current access held by individuals inside and outside the company, and the current access control process It also needs to be able to rapidly generate the evidence and related artifacts to determine user access and pass an audit

Trang 14

Achieving Compliance

identification and management of user access rights.

– What resources does a user have an account on?

– Does the user require an account on that system?

– What are the user’s capabilities on that resource?

– Who authorized or created the user’s account?

– Does the user’s presence violate any business or security policies?

Achieving Compliance

A common theme behind a company’s ability to achieve compliance involves its ability to ascertain all the systems that a user has access to, what capabilities or access rights the user has on those systems, and who authorized or created the account on that system Additionally,

a company needs to determine whether the user actually requires access to those systems to perform his or her job and whether his or her presence on one or more of those systems violates any business or security policies

So how do companies determine this information today? The next few pages show one such solution

Trang 15

Manual Processing

Trang 16

Problems with This Approach

This slide shows some of the problems associated with using a manual approach to

compliance

• Manual processes lead to human errors and extra work

• Reviews are not performed in a timely manner and, in general, managers do not seem to want to be involved in the process

• Spreadsheets are difficult to manage, are time consuming, do not easily allow for version control, and do not provide a method for looking back in time to determine who had access at that time

• It is extremely difficult or impossible to perform continuous monitoring of exceptions when information is kept in a spreadsheet

• It is difficult to assign roles to existing users and remove exceptions when violations are detected

Problems with This Approach

– Time consuming

– No version control

• Difficult to manage user access rights

Trang 17

Bank Teller

Role 2 Role 1

Roles

A role is a grouping of entitlements across a set of resources This grouping mechanism

enables you to associate access rights to computing resources based on a user’s job function

In a financial institution, for example, roles might correspond to job functions such as bank teller, loan officer, branch manager, clerk, accountant, or administrative assistant Persons in these job functions require access to a specific set of resources to perform their jobs, and their privileges on these resources might differ based on their job function as well

Roles can be shared among users as necessary In this slide, the Branch Manager has access

to the systems defined within two different roles (Role 1 and Role 2) The Bank Teller, however, has access only to the systems defined in Role 2 Assignment of multiple roles to a user is acceptable as long as that assignment does not violate any corporate business or security policies

Trang 18

Role Benefits

A role-based access control (RBAC) model provides a structure that can be used to address compliance By coupling access requirements to users based on organizational information (such as job title, employee code, or business unit), roles enable business managers to provide users with the access they need without violating business or security policies

Roles provide the following benefits Roles:

• Define the model for access Access requirements are often difficult to understand Managers simply do not know which groups within Active Directory their employees need

to perform their duties, and employees do not know what level of access to request

• Define the structure for access A role can encapsulate access requirements for a

particular job function (Business Role), an application function such as “create vendor” (IT Role), or a temporary project membership (Auxiliary Role) In all cases, when the role content is agreed upon by the business, the business owners can also define the “friendly description,” the owner, and even the population who can have or request the role All

Role Benefits

• Provide an efficient definition of processes and policies

information technology

• Provide consistent, known controls for defining access

Trang 19

Role Benefits (continued)

• Provide evidence of compliance Auditors need to easily understand the access controls and processes in your organization Having a defined set of roles (that is utilized across the identity and access management program) will greatly advance your ability to prove that you have compliant processes

• Bridge the gap between business and information technology Roles bridge the

communications gap between business and IT The role definition process itself requires input from both business and IT personnel, and the result is a defined set of roles that encapsulates business requirements

• Provide controls Roles provide known and approved levels of access for a job title or job function Because roles are engineered and reviewed, they should not provide any

access that violates separation of duties (SoD) policies Additionally, with defined roles, provisioning operations and services could be limited to allow only role-based access allocation, thereby increasing control and decreasing risk

• Facilitate valid requests from employees With clearly defined roles, employees can easily understand and request access to the applications and data that they need For example, Bob might be added to Project Team 7 and need to request access defined for that project, or he might want read-only access to product-line financial data to perform some analysis These roles (business or IT) should be available and understandable

Trang 20

Enterprise Roles

Utilization of roles across the enterprise provides benefits across multiple lines of business

• Information Technology (IT)

The IT department can use roles during the provisioning process to ensure that users have access to the correct resources During provisioning, an automated or manual process can assign access based on roles This makes access assignment logic easier to develop and maintain, and makes self service requests for access by employees easy to understand

Additionally, IT departments can control access to systems based on role definitions During policy evaluations for real-time access management, being able to define policies based on roles is more efficient than policies based on fine-grained attributes

Finally, roles reduce the risk associated with access control IT is often responsible for the risk associated with access control With well-defined roles, access control increases, and risk decreases

IT Ops & Security

Enterprise Roles

Trang 21

Enterprise Roles (continued)

Business managers are often tasked with requesting and approving access to resources for their direct reports In many cases, the business managers do not understand what access is actually required or even appropriate This leads to copy/paste entitlements (access based on another user’s rights) or an accumulation of entitlements over time.Roles provide a method for defining resource access based on business terminology rather than technical terms When they request or approve access, business managers can be assured that the access would be adequate based on their needs, and that it would be provided in a timely manner

Business managers can also be assured that during the audit process, they can better understand access requirements and can attest to access based on role definitions already in place

• Auditors

Auditors, like employees, need to understand how access is defined, granted, and removed, and a business-friendly context is easier to understand than the cryptic IT entitlements

When determining access control compliance, auditors can review the defined roles, an individual’s assigned roles, and an individual’s assigned access outside of the defined roles This makes the review process more efficient and accurate

By defining, utilizing, and periodically verifying roles, you are establishing controls that prove to auditors that a repeatable, sustainable process for access control exists

Trang 22

Access Management

Enterprise Role Management

How can access control policies be enforced?

Who approved the access assigned to

users?

Who is accessing what data and which applications?

HP

IBM

Oracle

Enterprise Role Management

Enterprise role management (ERM) provides a strong technology solution for access certification and segregation of duties enforcement With such a solution in place, you can drastically reduce the cost for audit preparation by easily answering the questions most often asked by auditors

• Who is accessing what data and applications?

To improve security, you must first understand your current level of security as it pertains to entitlements After locating where inappropriate access is present, you can determine how it was granted and adjust the processes that provisioned the access This gives you the ability

to evolve your controls and increase your proactive and reactive security processes

• Who approved the access assigned to users?

Improved security lowers your risk and protects your company from threats originating from inappropriate access (such as data breaches) Strong access control governance through roles is a key component in protecting critical applications and data from both internal and external threats

Trang 23

Enterprise Role Management Categories

• Provisioning integration

Enterprise Role Management Categories

Enterprise Role Management consists of four main categories:

Role mining is the widespread discovery of application-level entitlements The role mining process discovers relationships between users based on similar access permissions that can logically be grouped to form a role Role engineers can specify the applications and

attributes that will return the best mining results Role mining is also called role discovery.

• Attestation

Attestation is the process of certifying access and entitlements across one or more

resources Attestation involves a certification review process where an individual

(business manager or resource owner) confirms that the right users have the right access

on the right resources Organizational changes should be reflected in a user’s

entitlements because the user is either granted additional access or denied access due to job changes As such, attestation should be performed on an ongoing basis and should

be automated where possible

Trang 24

Enterprise Role Management Categories (continued)

Role management involves the grouping and management of application-level

entitlements into enterprise roles Role definitions consist of the grouping of entitlements across one or more resources These roles are then associated with organizational

structures such as job titles, employee codes, or departments A user is granted access to resources based on a role definition and as such, roles themselves need to be

periodically reviewed and recertified

Trang 25

Oracle Identity Analytics

simplifies compliance

processes, and aligns with

business drivers

Oracle Identity Analytics (formerly Sun Role Manager, before that Vaau’s RBACx product) provides comprehensive role lifecycle management and identity compliance capabilities to streamline operations, enhance compliance, and reduce costs Created and developed by Vaau in 2001, Oracle Identity Analytics was the first comprehensive solution in the market Sun’s acquisition of Vaau in 2007 added a world-class role management solution to its already impressive arsenal of identity management products

The Oracle Identity Analytics open architecture is both robust and scalable, and has the highest number of managed users for a single deployment (1.1 million identities at a large financial services company) The solution has been audited by all the major audit and regulatory bodies, and is tightly coupled with best practices and proven methodologies

The Oracle Identity Analytics software has been implemented at numerous client sites across different industries, and analysts such as Gartner and Forester agree that Oracle Identity Analytics is the leading identity compliance and role management solution on the market today

Trang 26

Oracle Identity Analytics Features

A Complete Solution for Simplified Access Control Compliance

Identity Warehouse

BU Model | App Metadata | Glossary

Identity & Access Mgmt Integration Extract, Transform, & Load (ETL)

Role Framework

Role Maintenance

Role MiningRole Certification

Access CertificationDashboard/Analytics

Policy EnforcementActivity Monitoring

Users, Entitlements, Roles, Policies

Oracle Identity Analytics Features

The first key feature to look at is the Identity Warehouse, where users, entitlements, roles, and policies are stored The warehouse imports this data from identity and access management (IAM) systems using the out-of-the-box connections to such systems and directly from the application infrastructure by using extract, transform, and load (ETL) processes

The warehouse also serves as the entitlements and roles repository for the enterprise On top

of the user information, you can model business units Oracle Identity Analytics provides a flexible way to build business units on any logical data construct derived from user identity data Customers have found this organizational grouping to be very useful to model several business structures or hierarchical business units to meet different needs For example, a large credit card company decided to model one business structure based on business processes and another based on an organizational chart The business unit data can be provided as a service

to external applications

Trang 27

Oracle Identity Analytics Features (continued)

The next key feature of the warehouse is application metadata, to which it attributes its

flexibility The metadata is the definition of attributes and the security structure of applications in the infrastructure The metadata enables you to define the security structure of any application, platform, or database without any coding You can then define parameters and include

constraints on each of the data attributes, which enable you to control how the data will be used For example, you might import 200 attributes from Microsoft Active Directory, but display only the five key attributes in your certification

The next key feature is the Glossary, which is highly recommended for certifications The Glossary is a business-friendly description of entitlement values that can be managed from the user interface of the Identity Warehouse

Trang 28

Architecture

Oracle Identity Analytics is a Java 2 Platform, Enterprise Edition (J2EE platform) Web

application As such, it is deployed to the Web container of an existing application server Access to the Oracle Identity Analytics user interface is made through a standard Web browser that uses the HTTP protocol over a particular port (in this case, port 80)

Oracle Identity Analytics data (business structures, users, roles, policies, applications, and resources) is contained in its Identity Warehouse The Identity Warehouse is an RDBMS that is not included with the Oracle Identity Analytics product Oracle Identity Analytics does not provide any database services such as replication, backups, and so on Instead, the database administrator uses the native database tools for this purpose

The Oracle Identity Analytics software enables you to interface with some resources (such as databases, flat files, and directory servers) through an adapter Adapters are written in the Java programming language and implement protocols such as Java Database Connectivity (JDBC) and Lightweight Directory Access Protocol (LDAP) Additionally, Oracle Identity Analytics can

Trang 29

IdentityWhse

Sample Deployment

Web Interfaces

Administrative

Connected Systems

Managed Resources

Nonconnected

Systems

Load Balancer

Network Failover

Device

Identity Mgr Instances

Application Server

Sample Deployment

This slide demonstrates a sample Oracle Identity Analytics deployment that includes both connected and nonconnected resources Connected resources include those systems that Oracle Identity Analytics can communicate with directly, which includes relational databases and directory servers Nonconnected resources are those systems that Oracle Identity

Analytics cannot communicate with directly and require that data dumps be taken on a periodic basis and consumed by Oracle Identity Analytics

This example also demonstrates integration with a user provisioning solution such as Sun

Identity Manager In the context of Oracle Identity Analytics, this is called a Provisioning Server

The Provisioning Server can be used as an authoritative source of user identities when

populating the Identity Warehouse with users Oracle Identity Analytics can also instruct the Provisioning Server to disable or delete user accounts that are found to be in violation of

corporate or security policies through a process called closed-loop remediation.

In this example, there are two instances of Oracle Identity Analytics in a highly available

configuration These instances can be clustered, or you can place a load balancer or network failover device in front of the instances as necessary

Trang 30

Sample Deployment (continued)

A common deployment scenario is to separate Oracle Identity Analytics instances based on functionality as follows:

• Role Management and Identity Compliance (certification and audit):

This instance requires periodic feeds from resources in order to perform scans for policy violations and might also include connectivity to a Provisioning Server to perform closed-loop remediation Application and data owners interface to this instance to perform audits and certifications

• Role Engineering (role mining and entitlement discovery):

This instance can be treated as an offline instance It does not need to be part of a production server cluster and might even be used as a staging server for the production environment Role engineering instances require one-time application feeds when

performing role mining and entitlements discovery, and the data is locked until the

analysis has been completed This instance is not typically connected to the Provisioning Server, but it could be in order to provide another highly available instance

Note that both instances point to the same Identity Warehouse In such architectures, you should consider using database clustering in order to achieve a highly available database solution

Trang 31

Integration with Provisioning Systems

Analysis & Definition of

Identity-based Controls

• Role Life Cycle Mgmt

• Detective Identity

Compliance

Run-time Enforcement of

Identity-based Controls

Oracle Identity Manager

• Identity Life Cycle Mgmt

• Preventative Identity

Compliance

Users & Accounts

Roles, Policies, & Rules

Comprehensive Access Control Compliance

Integration with Provisioning Systems

Companies need to evaluate access for existing individuals (detective), as well as ensure that all the current identity management processes do not introduce inappropriate access

(preventative) By integrating the Oracle Identity Analytics software with a user provisioning solution such as Oracle Identity Manager, companies can enter into audits with the assurance that they have done everything possible to ensure compliance

Through automation of provisioning processes, such as hiring a new user, handling a job transfer, or terminating a contractor, controls can be defined and enforced much more

effectively and consistently than through a manual process

To ensure that the existing access is appropriate and does not represent “toxic combinations”

of access, such as “create vendor” and “pay vendor,” customers require enterprisewide

evaluation of detective SoD policies Additionally, during any provisioning operation, manual or automated, companies want to evaluate preventative SoD policies and ensure that the

operation will not introduce any new violations

Trang 32

Functionality Matrix

Role Life Cycle Mgmt

User Life Cycle Mgmt

End User Self Service

Identity Compliance Reporting

Trang 33

Functionality Matrix (continued)

The Oracle Identity Manager software manages users throughout the identity life cycle It creates, deletes, and modifies accounts on managed resources and can do so by utilizing role definitions created by Oracle Identity Analytics Oracle Identity Manager can monitor data from one or more identity sources (such as human resource applications or contractor databases) and can provision user accounts based on roles As such, it is primarily a proactive tool in the hiring process

Oracle Identity Manager provides an end-user interface that enables employees, contractors, or other users to manage certain attributes (such as mobile phone or password) The primary users of Oracle Identity Analytics are the administrators who support the product and owners who participate in the certification process (nonadministrative users do not access Oracle Identity Analytics directly)

Trang 34

Implementation Methodology

The Wave Methodology for Role Definition

nAnalyze & Prioritize.

• Prioritize divisions

• Prioritize applications

oBuild Entitlement Warehouse.

• Import data

• Collect and correlate entitlements to identities

• Form business units

pPerform Role Discovery.

• Define role membership

• Define role entitlements

• Incorporate suggested changes

• Submit roles to role owners for approval

sAnalyze/Review Role Exceptions.

• Handle exceptions via auxiliary roles or ad hoc access requests

tFinalize Role Exceptions and Certify Roles.

• Incorporate any remaining changes

• Finalize role definitions

Implementation Methodology

Managing access based on users’ roles is an efficient, effective alternative to attempting to do the same on a user-by-user basis, which can be virtually impossible when dealing with large numbers of dynamic users To assist organizations in creating a role-based model for access control, Oracle has developed a wave methodology that breaks users into manageable chunks,

or “waves,” for the purpose of defining roles

The Sun wave methodology breaks large numbers of users into more manageable chunks, or

“waves,” for the purpose of defining roles This is accomplished by first dividing users into business units, which are groupings of people based on their managers, departments,

divisions, or other commonalities These business units are then grouped into different waves (usually four to six business units per wave) that can be prioritized based on the needs of the business Each wave requires a seven-step process for role definition as shown in the slide

Note: You can obtain more information about Wave Methodology in the lesson titled

“Performing Role Mining.” The Wave Methodology white paper can be found at

Trang 35

Oracle Identity Management

Windows through secure, flexible, self-service interfaces

• Oracle Enterprise Single Sign-On Authentication Manager – Enforces security policies and ensures regulatory compliance by allowing organizations to use a combination of tokens, smart cards, biometrics, and passwords for strong authentication throughout the enterprise

• Oracle Enterprise Single Sign-On Provisioning Gateway – Improves operational efficiency

by enabling organizations to directly distribute single login credentials to Oracle

Oracle Identity Management

Oracle + Sun Combination

Oracle Platform Security Services

Access Management*

Identity Administration Directory Services

Access ManagerAdaptive Access ManagerEnterprise Single Sign-OnIdentity FederationEntitlements Server

Identity Manager Directory Server EE

Internet DirectoryVirtual Directory

Identity Analytics

Management Pack For Identity Management

Operational ManageabilityIdentity & Access Governance

*Access Management includes Oracle OpenSSO STS and Oracle OpenSSO Fedlet.

Trang 36

Oracle Identity Management (continued)

Oracle Identity Federation (OIF):

OIF enables identity providers and service providers to connect seamlessly It creates trust relationships between partners and agencies by connecting users seamlessly and securely.OIF ensures the interoperability to securely share identities across vendors, customers, and business partners, thus providing cross-domain SSO

Oracle Adaptive Access Manager (OAAM):

OAAM provides real-time fraud prevention, multifactor authentication, and unique

authentication strengthening OAAM consists of two primary components:

• Adaptive Strong Authenticator, which provides multifactor authentication and protection mechanisms for sensitive information such as passwords, PINs, security questions, account numbers, and other credentials

• Adaptive Risk Manager, which provides real-time and offline risk analysis and proactive actions to prevent fraud at critical login and transaction checkpoints Adaptive Risk

Manager examines and profiles a large number of contextual data points to dynamically determine the level of risk during each unique login and transaction attempt

Security Token Service:

STS simplifies the orchestration of standards-based and proprietary tokens between Web services clients and providers, enabling businesses to abstract security from Web services It provides a solution for abstracting Web services security and handling token issuance,

validation, and translation through WS-Trust

It also provides a means to propagate identity and security information across infrastructure tiers by converting a Web SSO token issued for an enterprise portal to an SAML token that is consumed by applications or Web services

Fedlets:

A Fedlet is a service provider implementation of SAML 2.0 SSO Protocol It is a lightweight way for service providers to quickly federate with an identity provider An 8.5 MB package that identity providers give to service providers enables them to federate back to a company without the need for any additional federation products

To become federation enabled, the service provider simply adds the Oracle OpenSSO Fedlet

to their application and deploys the application No configuration is required and it works with both Java and NET applications With Fedlets, service providers can consume identity

assertion and receive user attributes from OIF

Oracle Entitlements Server (OES):

OES provides management of fine-grained authorization policies and a standardized

enforcement mechanism as an alternative to embedding one-off security within the application

Oracle Platform Security Services (OPSS):

OPSS provides an abstraction layer in the form of standards-based APIs that insulate

developers from security and identity management implementation details With OPSS,

developers do not need to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures By leveraging OPSS, in-house developed applications, third-party applications, and integrated applications all benefit from the

Trang 37

– Installation and Upgrade Guide

– System Administrator’s Guide

– Database Administrator’s Guide

Trang 38

Summary

In this lesson, you should have learned to:

Trang 39

Practice 1 Overview: Installing the Software

This practice covers the following topics:

Định dạng
Số trang	226
Dung lượng	7,75 MB