Kerry Osborne

1

• Kerry Osborne
• Senior Oracle Guy

2
Caveats

• The opinions expressed are mine
• Im an old guy
• I am biased towards Oracle technology
• I have not drunk too much of the Kool-Aid

3
Why Identity Management?

• My Totally Unscientific Survey
• 40 companies
• 90 public
• 40 over 1B
• 95 are interested in Identity Management

4
Why Identity Management?

• Users are frustrated
• SOX is Scary
• Need to Reduce Costs
• Its Complicated

5
Why Oracle Identity Management?

OID
Oracle Database
Oracle Identity Management
6
Oracle Internet Directory (OID)

• v3 compliant LDAP server
• Built on Oracle Database
• Scalable
• Performant
• Highly Available

7
Speaking of eggs

• Is it better to have all your eggs in one basket,
  or not?

8
Squirrel and Fort Knox

9
Squirrel and Fort Knox

• Squirrels Approach
• He puts nuts in lots of places.
• They are totally insecure. Therefore, he needs
  lots of holes.
• He has lots of nuts. Therefore, he doesnt care
  if he loses some.
• Fort Knox Approach
• Put all the gold bullion in one place and lock it
  down.
• Cant afford to loose any.
• Not enough man power to guard many locations.

10
Back to the Future

• Traditional Database Systems
• Usually authenticated by the database
• Yielded lots of silos
• Usually not directly associated with a person

11
Two Common Security Models

• Every user has his own database account
• Full access to base tables must be granted
• Access to ad-hoc tools must be limited
• Can make use of advanced Oracle features
• OR
• Users log on to a proxy account
• Better approach generally (see caveat 1.0)
• Not necessary for user to know the actual account
  
• Easier to convert to centralized authentication

12
Case Study 1

• Document Management / Workflow Application
• Problem
• Build a document management system capable of
  handling millions of documents from paper to
  searchable XML database.
• The application should support multiple groupings
  of users with multiple responsibilities.
• Provide a very flexible routing/approval
  infrastructure.

13
Case Study 1

• Architecture
• Oracle Database using Oracle Text
• Java application to access the final database
• Oracle Forms
• Oracle Workflow

14
Case Study 1

• Solution
• Use proxy security model where by all users log
  on to a common database account.
• Use OID for authentication
• Create a table of users
• Synchronize application users table with OID via
  triggers
• No need for password field in users table
• Create view of users table for Workflow

15
Case Study 1

16
Case Study 2

• Consolidation of Security Models / Authentication
  
• Problem
• Numerous custom Oracle based applications all
  with their own security components makes
  compliance with government regulations difficult.
• Architecture
• Numerous applications all accessing Oracle.
• Each application uses individual database account
  security model.
• The applications use database roles for security.
  
• The client uses Oracles Internal Controls
  Management product.
• The client plans to implement Oracle Financials.
  

17
Case Study 2

• Solution
• Convert custom applications to Bolt On
  applications in Oracle Financials.
• Provides a common security model
• Provides auditing capability
• Provides a common user interface
• Provides out of the box integration with OID/SSO

18
Case Study 2

19
Case Study 3

• Active Directory Sync / .Net Application
• Problem
• The users wish to have centralized authentication
  
• This will provide users with access to the
  application, whether they are defined in AD, OID
  or the application.
• Architecture
• .Net application
• The application uses the Proxy Security Model
  with an internal table of application users.

20
Case Study 3

• Solution
• Use OID as the central repository
• Synchronize OID with AD and the Internal Users
  Table
• AD sync accomplished with DIP on timed basis
• Database users table sync is bi-directional
• To OID via database triggers
• From OID with timed job using function based view
  (ldap search)

21
Case Study 3

22
Questions?

• www.enkitec.com
• Kerry.Osborne_at_enkitec.com