1 Introduction to Oracle Privileged Account Manager

This chapter introduces you to Oracle Privileged Account Manager by describing key concepts, features, and functionality.

This chapter includes the following sections:

• Section 1.1, "What is Oracle Privileged Account Manager?"
• Section 1.2, "Why Use Oracle Privileged Account Manager?"
• Section 1.3, "How Oracle Privileged Account Manager is Deployed in Oracle Fusion Middleware"
• Section 1.4, "Understanding the Relationship between Oracle Privileged Account Manager Entities"

1.1 What is Oracle Privileged Account Manager?

Oracle Privileged Account Manager manages privileged accounts that are not being managed by any other Oracle Identity Management components.

Accounts are considered "privileged," if they can access sensitive data, can grant access to sensitive data, or can both access and grant access to that data. Privileged accounts are your company's most powerful accounts and they are frequently shared.

Accounts become candidates for management via Oracle Privileged Account Manager if they are associated with elevated privileges, are used by multiple end-users on a task-by-task basis, and must be controlled and audited.

For example, these accounts require security and may fall under compliance regulations:

• UNIX root, Windows administrator, and Oracle Database SYSDBA system accounts
• Application accounts, such as the database user accounts used by an application server when it connects to a Human Resources application
• Traditional shared and elevated privilege user accounts, such as system administrators and database administrators

Administrators determine which accounts are privileged within a particular deployment, and they must configure Oracle Privileged Account Manager to manage those accounts.

While Oracle Privileged Account Manager most commonly manages shared and elevated privileged accounts, administrators can also use it to manage passwords for any type of account. For example, if an employee is on extended leave and you have a business reason for allowing another employee to access the system using that person's email account, Oracle Privileged Account Manager can manage that privilege.

1.2 Why Use Oracle Privileged Account Manager?

Oracle Privileged Account Manager enables you to administer and provide better security for privileged accounts and passwords that are traditionally difficult to manage for several reasons.

First, privileged accounts generally have more access rights than a regular user's account. Because these accounts are not typically associated with one specific employee, they are often difficult to audit with existing tools and processes. Consequently, when employees leave the company, they might retain privileged account passwords that are still in use, which is a very serious compliance and security issue.

Also, changing privileged account passwords on a regular basis is difficult. If many people depend on the account, changing the password and notifying everyone requires a coordinated effort.

Finally, you typically do not want to store passwords in a central or well-known location, such as an external repository (like LDAP) or in application configuration files, because you cannot control access to those passwords.

Oracle Privileged Account Manager delivers a complete solution for securely managing privileged accounts and passwords because it provides

• Centralized password management for privileged and shared accounts, including UNIX and Linux root accounts, Oracle Database SYSDBA, application accounts, and LDAP admin accounts
• Interactive, policy-based account and session checkout and check-in Oracle Privileged Account Manager requires all authorized users to check out an account before using it, and then to check that account back in when they are finished with it. Oracle Privileged Account Manager audits account check outs and check ins by tracking the real identity (the person's name) of every shared administrator user at any given moment in time. By using this information, Oracle Privileged Account Manager can provide a complete audit trail that shows who accessed what, when, and where. In addition, Oracle Privileged Session Manager (Session Manager) enables administrators to monitor and control which activities users can perform during a session. Users are never allowed direct access to resources or to privileged credentials.
• Automatic password changes using the Identity Connector Framework ( ICF) Oracle Privileged Account Manager modifies passwords when they are checked out and checked in (when configured to do so). Consequently, when a user checks out a password and then subsequently checks it back in, that user can no longer use the previously checked out password. In addition, Oracle Privileged Account Manager can change application privileged account passwords at specified intervals, such as every 90 days, with no changes to those applications and Oracle Privileged Account Manager synchronizes those passwords on the target systems. For example, Oracle Privileged Account Manager can update service and scheduled task credentials.
• User management, group management, and workflow capabilities (by integrating with Oracle Identity Manager) Because Oracle Privileged Account Manager seamlessly integrates with Oracle Identity Manager, Oracle Privileged Account Manager can use this Oracle Identity Management product to manage the users and groups that are associated with a company's privileged accounts. In addition, through the request-level approval workflows, operational-level approval workflows, and provisioning workflows of Oracle Identity Manager, you can configure Oracle Privileged Account Manager so that only the appropriate groups and users have access to privileged accounts.

1.2.1 Features

Oracle Privileged Account Manager's key features include:

• Multiple access points, including
  • Oracle Privileged Account Manager's web-based user interface (called the Console ) Two interfaces are associated with the Console:
    • Administrator : Oracle Privileged Account Manager administrators use this interface to create and manage policies, targets, accounts, grants, and reports.
    • Self-Service : Oracle Privileged Account Manager end users use this interface to search for, view, check out, and check in accounts.

    Note: These APIs are considered to be RESTful because they conform to Representative State Transfer (REST) standards. Refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface" for more information.

    • Oracle Platform Security Services (OPSS) Policy Store for authorization
    • Oracle Platform Security Services (OPSS) Trust Service to authenticate and propagate identities from the Oracle Privileged Account Manager user interface to the Oracle Privileged Account Manager server
    • Identity Connector Framework (ICF) to connect to target systems and to discover, update, or discover and update the passwords for privileged accounts on those systems In addition, because ICF is an open standard, you can write your own connectors against other types of targets for which Oracle has not yet created an ICF connector. For more information about ICF and about developing your own connector, refer to "Understanding the Identity Connector Framework" and "Developing Identity Connectors Using Java" or "Developing Identity Connectors Using .Net" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager .
    • Session Manager creates a single access point to target resources, which enables administrators to easily control and monitor all the activities within the privileged session.
    • Session Manager also maintains historical records (transcripts) to support forensic analysis and audit data.
    • UNIX and Linux operating systems
    • Oracle, MSSQL, MySQL and Sybase databases
    • LDAP v3-compliant directories
    • Oracle Privileged Account Manager's out-of-the box audit reports are integrated with Oracle Business Intelligence Publisher 11g (BI Publisher) so you know who is using your privileged accounts. BI Publisher also enables you to create and manage formatted reports from different data sources.
    • The Oracle Fusion Middleware Audit Framework logs audit events in a centralized database. Oracle Privileged Account Manager uses these events to generate audit reports.
    • Events related to privileged account access roll up into Oracle Identity Manager and Oracle Identity Analytics for audit and attestation.
    • Password Policy : This policy type captures the password construction rules enforced by a specific target on an associated privileged account. For example, you can specify the minimum and maximum number of numeric characters for a password for an account. In addition, you use a password policy to create a password value that Oracle Privileged Account Manager uses to reset a password for a privileged account.
    • Usage Policy : This policy type defines when and how often a user or group can access a privileged account.

    If you do not specify a time interval by using a Usage Policy, the user or group can access the privileged account at any time (24x7).

    • An attended account is an account assigned to a particular group or user.
    • An unattended account is an account that is never used by an end user. For example, Oracle Privileged Account Manager uses an unattended account, called the OPAM service account, to connect to and manage target systems. This account performs all Oracle Privileged Account Manager-related operations (such as discovering accounts, resetting passwords, and so forth) on the target system, which is why the OPAM service account ( service account) must have some special privileges and properties. Oracle Privileged Account Manager can also manage other kinds of unmanaged accounts, such as an application account or a service account with CSF mappings that enable applications to pick up a password at run-time by using CSF.

    You must never use the same account as a service account and a privileged account to be managed by Oracle Privileged Account Manager.

    For more information about working with service accounts in Oracle Privileged Account Manager, refer to Section 7, "Working with Service Accounts."

    1.2.2 Functionality

    In addition to the functionality described in Section 1.2, "Why Use Oracle Privileged Account Manager?," Oracle Privileged Account Manager

    • Associates privileged accounts with targets
    • Grants users and roles access to privileged accounts, and removes that access
    • Provides an extensible plug--in framework that enables you to use Oracle or third-party plug-ins to perform operations such as custom notifications, extended usage policies, and custom logic to synchronize passwords with external repositories
    • Provides role-based access to accounts maintained in the Oracle Privileged Account Manager accounts request system
    • Provides password check out and check in, as well as session checkout to control access to accounts
    • Provides "over-the-shoulder" session management by enabling administrators to
      • Control session initiation
      • Control sessions through policy-based and administrator-initiated session termination and lockout
      • Monitor and audit sessions
      • Which targets, privileged accounts, and policies are exposed to an end user or administrator
      • Which operations (such as add, modify, check-in, and checkout) end users and administrators can perform

      1.2.3 Architecture and Topology

      The following diagram illustrates Oracle Privileged Account Manager's architecture and topology:

      Figure 1-1 Oracle Privileged Account Manager Architecture and Topology

      As you examine this figure, it is important to note the following points:

      All of Oracle Privileged Account Manager's core logic resides on the Oracle Privileged Account Manager server. This functionality is exposed through a Representational State Transfer ( REST or RESTful) service, where the data is encoded as JavaScript Object Notation ( JSON).

      Note: Oracle Privileged Account Manager provides a web-based user interface (known as the Console ) and an Oracle Privileged Account Manager command line tool (CLI). Both interfaces are essentially clients of the Oracle Privileged Account Manager server. However, third parties can write their own clients, such as custom applications, by leveraging the open RESTful service. For more information, refer to Appendix B, "Working with Oracle Privileged Account Manager's RESTful Interface."

      • Generic Database User Management connector : Connects to Oracle, MSSQL, Sybase, MySQL databases.
      • Generic Unix connector : Connects to any UNIX system.
      • Generic LDAP connector : Connects to LDAP targets (such as Oracle Internet Directory, Oracle Universal Directory, and Active Directory).
      • Custom connector : Connects to a target that does not have a predefined connector associated with it.

      1.3 How Oracle Privileged Account Manager is Deployed in Oracle Fusion Middleware

      The following figure illustrates how Oracle Privileged Account Manager is deployed within Oracle Fusion Middleware.

      Figure 1-2 Oracle Privileged Account Manager Deployed Within Oracle Fusion Middleware

      As you examine this figure, note the following points:

      • All components are deployed within a single WebLogic domain.
      • Oracle Privileged Account Manager stores its application data in the Oracle Privileged Account Manager database. In addition, the Oracle Privileged Account Manager schema is created in this database via the Oracle Repository Creation Utility.
      • Oracle Privileged Session Manager relies on the Oracle Privileged Account Manager Database for persistence and communicates with Oracle Privileged Account Manager through its RESTful interfaces.
      • Oracle Privileged Account Manager's web-based user interface (the Console) is deployed in the Oracle WebLogic Server Managed Server, along with the Oracle Privileged Account Manager Server and the Session Manager. The Console communicates with the Oracle Privileged Account Manager Server. This server is created as a server that is managed by the Oracle WebLogic Server Managed Server (or Managed Server).
      • The OPSS identity store and the OPSS security store (which includes the Policy Store and credential store) are WebLogic domain-wide constructs, so there is one of each per domain. (Because the OPSS security store is implicitly part of the WebLogic domain, it is not depicted in this diagram.) Oracle Privileged Account Manager simply works with what is configured for that domain. You are not required to use an Oracle Privileged Account Manager-specific configuration to use these constructs and services. In addition, Oracle Privileged Account Manager abstracts out the use of these constructs and services so that you do not have to understand what goes on "under the covers" in great detail.
        • The OPSS identity store can point to the LDAP embedded in WebLogic (out of the box) or to an external LDAP server. Refer to "Configuring the Identity Store Service" in the Oracle Fusion Middleware Application Security Guide for configuration instructions.
        • For information about managing the Policy Store and the credential store, refer to "Managing the Policy Store" and "Managing the Credential Store" in the Oracle Fusion Middleware Application Security Guide .

        1.4 Understanding the Relationship between Oracle Privileged Account Manager Entities

        Before you start working with the different Oracle Privileged Account Manager entities, you should understand how those entities relate to each other. Figure 1-3 illustrates this relationship.

        Figure 1-3 Oracle Privileged Account Manager Entity Relationships

        An Oracle Privileged Account Manager Password Policy can apply on both a target or a privileged account. When applied on a privileged account, that account's password construction (its complexity) and lifecycle (how often it changes) is governed by the effective Oracle Privileged Account Manager Password Policy. Similarly, when applied on a target, the target's service account is governed by the Oracle Privileged Account Manager Password Policy.

        Targets are software systems that contain one or more privileged accounts.

        A Usage Policy applies on a grant and it controls when and how grantees can use a privileged account. For example, you can configure a Usage Policy to control when a user's access to an account will expire.

        Users and groups (roles) are maintained in the Oracle Privileged Account Manager identity store. These users and groups can only access a privileged account through a grant. If a user or group member tries to access a privileged account, and Oracle Privileged Account Manager finds a grant, then the grantee is allowed to access the account based on that grant and its associated Usage Policy.