Skip Headers

Oracle Internet Directory Administrator's Guide
Release 9.0.2

Part Number A95192-01
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

16
Directory-Based Application Security

This chapter discusses how you can exploit the way Oracle Internet Directory stores access control policies to secure applications in a large enterprise and in hosted environments. This chapter contains these topics:

Delegated Directory Administration

Because Oracle Internet Directory stores access control policies as LDAP attributes, you can set metapolicies controlling who can modify them. This enables a global administrator to assign privileges to administrators of specific subtrees--for example, to administrators of applications in a hosted environment. Similarly, a global administrator can delegate to departmental administrators access to the metadata of applications in their departments. Department administrators can then control access to their department applications.

Thus, you can implement access control on two levels:

Application-Specific Access Control

Figure 16-1 shows the relationship between directory access control and the application-specific access control mechanisms in a hosted environment.

Figure 16-1 Directory Access Control and Application-Specific Access Control

Text description of oidag037.gif follows
Text description of the illustration oidag037.gif

Directory Domains and Roles

Figure 16-2 illustrates the various domains and the roles associated with them in the directory.

Figure 16-2 Directory Domains and Roles in a Hosted Environment

Text description of oidag041.gif follows
Text description of the illustration oidag041.gif

In Figure 16-2, each triangle represents a portion of a DIT.

Figure 16-2 shows only a single subscriber represented in the directory. In reality there are multiple subscribers, each with its own domain requiring protection from the others.

Some of the protection domains in this model are:

These protection domains are supported by the following roles, which enable the service provider or subscriber to customize access control.


Go to previous page Go to next page
Oracle
Copyright © 1999, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index