Oracle Entitlement Server OES QnA from Oracle webcast
Oracle Webcast on OES server with Questions/Answers https://blogs.oracle.com/cloudsecurity/oracle-entitlements-server-oes-11g-webcast-qa
Oracle Entitlements Server (OES) 11g Webcast Q&A
We recently announced Oracle
Entitlements Server (OES) 11g. OES externalizes authorization policies from applications eliminating the complexity of building authorization inside applications.
By decoupling authorization policy evolution from the application lifecycle, OES does for authorization what Single Sign-On did for authentication.
Entitlements Server (OES) 11g. OES externalizes authorization policies from applications eliminating the complexity of building authorization inside applications.
By decoupling authorization policy evolution from the application lifecycle, OES does for authorization what Single Sign-On did for authentication.
In our recent July 14 webcast on OES 11g, we dug deeper into some of the new capabilities and design themes in OES 11g. Thanks to everyone who joined our webcast. We have captured answers to the questions asked for your
reference.
reference.
What is
new in OES 11g?
new in OES 11g?
OES 11g introduces several breakthroughs in externalized authorization management. 1) Real-time External Authorization ensures minimal
latencies in mission-critical deployments for applications making a massive number
of authorization checks 2) Comprehensive Standards Support for a broad spectrum of
authorization standards including XACML, NIST RBAC, Enterprise RBAC, ABAC, JAAS
and OpenAZ. This gives customers plenty of choices, and flexibility of deployment. 3) Rapid Application Integration accelerates integration with a broad spectrum of application platforms.
latencies in mission-critical deployments for applications making a massive number
of authorization checks 2) Comprehensive Standards Support for a broad spectrum of
authorization standards including XACML, NIST RBAC, Enterprise RBAC, ABAC, JAAS
and OpenAZ. This gives customers plenty of choices, and flexibility of deployment. 3) Rapid Application Integration accelerates integration with a broad spectrum of application platforms.
Does
OES 11g integrate with non-Oracle systems?
OES 11g integrate with non-Oracle systems?
Yes. OES integrates with a large number of heterogeneous (non-Oracle) platforms including various custom and 3rd party applications, application servers, databases, directory servers, content management systems, SOA and cloud environments, web portals, and XML gateways, development platforms
and programming languages.
and programming languages.
What’s the difference between OES
11g and Oracle Platform Security Services (OPSS)?
11g and Oracle Platform Security Services (OPSS)?
OPSS is the underlying security foundation for
Oracle Fusion Middleware and Oracle Fusion Applications. It is a security framework that provides a broad set of security services for applications - anything from authentication, audit, secure credential storage, identity profile, and authorization among others. OES is the authorization engine sitting underneath OPSS.
Oracle Fusion Middleware and Oracle Fusion Applications. It is a security framework that provides a broad set of security services for applications - anything from authentication, audit, secure credential storage, identity profile, and authorization among others. OES is the authorization engine sitting underneath OPSS.
OAM and OES both can handle authorization. What else can OES offer
when compared to OAM authorization?
when compared to OAM authorization?
OAM is primarily an authentication and Single Sign-On solution. While it does have coarse grained authorization capabilities, you will need a fine grained authorization solution like OES for page/portal customization or page entity level security checks (button enable/disable, text
box graying out), transactional checks, checks at method or function level, and for data redaction.
box graying out), transactional checks, checks at method or function level, and for data redaction.
Does OES 11g integrate with Microsoft Active Directory?
Sure. OES can work with external
user/group/role/attribute repositories. As a best practice we recommend that you leverage your existing identity stores like AD.
user/group/role/attribute repositories. As a best practice we recommend that you leverage your existing identity stores like AD.
Does OES 11g integrate with other Oracle Identity Management products like Oracle Access Manager (OAM) and Oracle Adaptive Access Manager (OAAM)?
OES integrates with other Identity and Access Management solutions. It can integrate well with an SSO solution like OAM or an adaptive
authentication solution like OAAM. Integration with OES delivers fine grained authorization
capabilities such as page/portal personalization, function/module level checks, attribute based checks, data redaction etc. OES integrates with other components of the Oracle Identity Management stack as well.
authentication solution like OAAM. Integration with OES delivers fine grained authorization
capabilities such as page/portal personalization, function/module level checks, attribute based checks, data redaction etc. OES integrates with other components of the Oracle Identity Management stack as well.
Do you recommend performing data redaction at the database rather than at the UI or business logic layer?
Nearly all large deployments have to make a decision on this at some time. While some scenarios may force you to make the authorization decision at Data Source (DB level), we tend to recommend redaction at a data service layer (for example at the hibernate layer). In general, this is a very subjective decision. OES 11g provides various architecture choices. Decisions vary on a case by case basis.
With 11g the OES PEP/PDP is now integrated into the WLS OPSS SM.
When using OES Administration Server (PDP) in conjunction with WLS 11g, do you have to license the integrated PEP/PDP on WLS or is its usage covered by the WLS licensing?
When using OES Administration Server (PDP) in conjunction with WLS 11g, do you have to license the integrated PEP/PDP on WLS or is its usage covered by the WLS licensing?
OES is licensed separately.
How does OES compare to LDAP or Tivoli security application?
LDAP by itself is just a repository and does not
provide any policy enforcement capabilities.
provide any policy enforcement capabilities.
Where are the roles stored?
In OES Roles are policy based. At a high level,
the role policies can be based on users or groups or user attributes where these entities can be managed in any standard user repositories (ex: AD).
the role policies can be based on users or groups or user attributes where these entities can be managed in any standard user repositories (ex: AD).
How is OES integrated with Oracle ADF? Can I authorize ADF
component seamlessly, transparently (ADF developer do not execute OES) and how?
component seamlessly, transparently (ADF developer do not execute OES) and how?
Absolutely. The OES admin console itself is
based on OES. Since OES can plug in under the OPSS (Oracle Platform Security Services) layer, all Oracle FMW and Applications (that are based on OPSS) automatically leverage the OES authorization engine.
based on OES. Since OES can plug in under the OPSS (Oracle Platform Security Services) layer, all Oracle FMW and Applications (that are based on OPSS) automatically leverage the OES authorization engine.
Does OES support Single Sign On?
OES is not a WebSSO product, it does fine
grained authorization. That said, it works with and integrates with any customer's single sign-on solution to take advantage of the user context that
gets established and any other information the SSO product provides that you want to leverage in your authorization policies. Oracle Access Manager (our WebSSO product) internally leverages an embedded version of OES to do URL level (coarse grained) authorization.
grained authorization. That said, it works with and integrates with any customer's single sign-on solution to take advantage of the user context that
gets established and any other information the SSO product provides that you want to leverage in your authorization policies. Oracle Access Manager (our WebSSO product) internally leverages an embedded version of OES to do URL level (coarse grained) authorization.
Do you need the Enterprise Gateway to perform this sort of context authorization or can this be performed by WLS/OPSS, etc?
The Oracle Enterprise Gateway makes it extremely
easy to integrate with web services as it is natively integrated with OES - this requires no changes to the application code. A similar integration can be
done with Oracle Web Services Manager with some customization.
easy to integrate with web services as it is natively integrated with OES - this requires no changes to the application code. A similar integration can be
done with Oracle Web Services Manager with some customization.
Does OES integrate with Layer 7 gateways?
Yes, OES can integrate with Layer 7 gateways
Does OES provide database level integration with IBM DB2?
You can definitely use OES for data security
with DB2 through business tier integration.
with DB2 through business tier integration.
Can OES integrated with non-Java applications (C/C++)?
OES provides Web Service and RMI interfaces that can be of help in these cases. We have done a lot of work with financial services companies that we will be happy to discuss offline.
Can authorization policies be stored in an Oracle database?
Authorization policies can be stored in Oracle
RDBMS. The user and groups can be retained in their existing enterprise stores - AD/LDAP/RDBMS
RDBMS. The user and groups can be retained in their existing enterprise stores - AD/LDAP/RDBMS
Do you provide or recommend tools to extract security rules from home-grown code so they can be externalized?
We have not come across any tools that do rules
redaction from code very effectively.
redaction from code very effectively.
Are there any IDEs (like Eclipse) that support application owners in development for developers and architects?
There are probably two parts to this question,
the OES libraries can be used with any IDE. Our own JDeveloper IDE provides security wizards that help developers, provides declarative support, and helps automate the development lifecycle - this is planned to be certified with OES 11g later this year. We also have plans to extend this for 3rd party IDE's
the OES libraries can be used with any IDE. Our own JDeveloper IDE provides security wizards that help developers, provides declarative support, and helps automate the development lifecycle - this is planned to be certified with OES 11g later this year. We also have plans to extend this for 3rd party IDE's
How do you integrate OES with Oracle Identity Manager (OIM) and Oracle Identity Analytics (OIA)?
OIM provisions the users and group membership
(enterprise roles) in the ID store(s) that OES can then leverage in authorization decisions/policies. OIM may also control certain user attributes
that may be used in your authorization policies. (OIM uses an embedded version of OES for defining delegated admin policies). OIA can then be used for recertification / attestation of the role memberships and relevant attributes, Separation
of Duties (SoD) policies etc
(enterprise roles) in the ID store(s) that OES can then leverage in authorization decisions/policies. OIM may also control certain user attributes
that may be used in your authorization policies. (OIM uses an embedded version of OES for defining delegated admin policies). OIA can then be used for recertification / attestation of the role memberships and relevant attributes, Separation
of Duties (SoD) policies etc
Check out the webcast
replay to learn more about OES 11g.
replay to learn more about OES 11g.
Comments
Post a Comment