Upload
harris
View
42
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Kerry Osborne Senior Oracle Guy. Caveats. The opinions expressed are mine … I’m an old guy I am biased towards Oracle technology I have not drunk too much of the Kool-Aid. Why Identity Management?. My Totally Unscientific Survey ~40 companies ~90% public ~40% over $1B - PowerPoint PPT Presentation
Citation preview
Kerry OsborneSenior Oracle Guy
Caveats The opinions expressed are mine …
I’m an old guy
I am biased towards Oracle technology
I have not drunk too much of the Kool-Aid
Why Identity Management?
My Totally Unscientific Survey
~40 companies ~90% public ~40% over $1B
~95% are interested in Identity Management
Why Identity Management?
Users are frustratedSOX is ScaryNeed to Reduce CostsIt’s Complicated
Why Oracle Identity Management?
Oracle Identity
Management
OID
OracleDatabase
Oracle Internet Directory (OID)
v3 compliant LDAP server
Built on Oracle Database Scalable Performant Highly Available
Speaking of eggs Is it better to have all your eggs in one
basket, or not?
Squirrel and Fort Knox
Squirrel and Fort Knox
Squirrel’s Approach He puts nuts in lots of places. They are totally insecure. Therefore, he needs lots of holes. He has lots of nuts. Therefore, he doesn’t care if he loses some.
Fort Knox Approach Put all the gold bullion in one place and lock it down. Can’t afford to loose any. Not enough man power to guard many locations.
Back to the FutureTraditional Database Systems
Usually authenticated by the database
Yielded lots of silos
Usually not directly associated with a person
Two Common Security Models
Every user has his own database account Full access to base tables must be granted Access to ad-hoc tools must be limited Can make use of advanced Oracle features OR
Users log on to a proxy account Better approach generally (see caveat 1.0) Not necessary for user to know the actual account Easier to convert to centralized authentication
Case Study #1
Document Management / Workflow Application
Problem: Build a document management system capable of handling
millions of documents from paper to searchable XML database.
The application should support multiple groupings of users with multiple responsibilities.
Provide a very flexible routing/approval infrastructure.
Case Study #1
Architecture:
Oracle Database using Oracle Text Java application to access the final database Oracle Forms Oracle Workflow
Case Study #1Solution:
Use proxy security model where by all users log on to a common database account. Use OID for authentication Create a table of users Synchronize application users table with OID via triggers No need for password field in users table Create view of users table for Workflow
Case Study #1
App_users
UsernameEmail
Workflow_users
UsernameEmail
Database Trigger
Workflow_users_view
FormsApp Authentication Workflow
OID/SSO
Case Study #2Consolidation of Security Models /
Authentication
Problem: Numerous custom Oracle based applications all with their own
security components makes compliance with government regulations difficult.
Architecture: Numerous applications all accessing Oracle. Each application uses individual database account security
model. The applications use database roles for security. The client uses Oracle’s Internal Controls Management product. The client plans to implement Oracle Financials.
Case Study #2Solution:
Convert custom applications to “Bolt On” applications in Oracle Financials. Provides a common security model Provides auditing capability Provides a common user interface Provides out of the box integration with OID/SSO
Case Study #2
Fin Apps
AppsGLAPXX1XX2…
ResponsibilitesAP ClerkAP Super UserXX1 ClerkXX1 Super User…
XX1
UsersRolesMenusXX2
UsersRolesMenus
UsersGL_User1AP_User1XX1_User1XX1_User2…
OID/SSO
Case Study #3Active Directory Sync / .Net Application
Problem: The users wish to have centralized authentication
This will provide users with access to the application, whether they are defined in AD, OID or the application.
Architecture: .Net application
The application uses the Proxy Security Model with an internal table of application users.
Case Study #3Solution:
Use OID as the central repository Synchronize OID with AD and the Internal Users
Table AD sync accomplished with DIP on timed basis Database users table sync is bi-directional
To OID via database triggers From OID with timed job using function based view (ldap
search)
Case Study #3
Sync
App_users
Ldap$users
via trigger
timed event
IIS
AD
OID/SSO
Oracle SSOPlug In
.net application
Oracle Database