Identity Service
The identity service is a thin web service layer on top of the Oracle WebLogic Server security infrastructure, namely Oracle Identity Management and Oracle Platform Security Services (OPSS), or any custom user repository. The identity service enables authentication of users and the lookup of user properties, roles, group memberships, and privileges. Oracle Identity Management is the sole identity service provider for Oracle WebLogic Server. Oracle Identity Management handles all storage and retrieval of users and roles for various repositories, including XML, LDAP, and so on. More specifically, Oracle Identity Management provides the following features:
-
All providers are supported through Oracle Identity Management. The OracleAS JAAS Provider (JAZN) and LDAP providers are no longer supported. The custom provider is deprecated and supported only for backward compatibility. All customization of providers is performed through the custom provider to Oracle Identity Management, through configuring Oracle Virtual Directory (OVD) as an LDAP provider to Oracle Identity Management, or through both. OVD aggregates data across various repositories.
-
The OPSS layer is used, which includes the following:
-
Identity store
-
Policy store
-
Credential store
-
Framework
For more information, see Securing Applications with Oracle Platform Security Services. All security configuration is done through the
jps-config.xml
file. -
-
All privileges are validated against permissions, as compared to actions in previous releases.
-
The following set of application roles are defined. These roles are automatically defined in the SOA Infrastructure application of the OPSS policy store.
-
SOAAdmin
: Grant this role to users who must perform administrative actions on any SOA module. This role is also granted theBPMWorkflowAdmin
andB2BAdmin
roles. -
BPMWorkflowAdmin
: Grant this role to users who must perform any workflow administrative action. This includes actions such as searching and acting on any task in the system, creating and modifying user and group rules, performing application customization, and so on. This role is granted theBPMWorkflowCustomize
role and the following permissions:-
workflow.mapping.protectedFlexField
-
workflow.admin.evidenceStore
-
workflow.admin
-
-
BPMWorkflowCustomize
: Grant this role to business users who must perform mapped attributes (formally flex field) mapping to public mapped attributes. This role is also granted theworkflow.mapping.publicFlexField
permission.
-
-
The following workflow permissions are defined:
-
workflow.admin
: Controls who can perform administrative actions related to tasks, user and group rules, and customizations. -
workflow.admin.evidenceStore
: Controls who can view and search evidence records related to digitally-signed tasks (tasks that require a signature with the use of digital certificates). -
workflow.mapping.publicFlexField
: Controls who can perform mapping of task payload attributes to public mapped attributes. -
workflow.mapping.protectedFlexField
: Controls who can perform mapping of task payload attributes to protected mapped attributes.
-
Note:
You cannot specify multiple authentication providers for Oracle SOA Suite. This is because OPSS does not support multiple providers. The provider to use for human workflow authentication must be the first one listed in the order of authentication providers for Oracle SOA Suite.