Oracle Entitlements Server (OES) provides fine grained authorization capabilities that, along with
Oracle Access Manager (OAM), comprise the XACML based Authorization Service. What factors
should be considered when choosing how to specify and deploy OES policy decision points
(PDPs)?
A.
If a policy enforcement point exists in the DMZ, then a remote PDP should be deployed behind
the inner firewall.
B.
If both OAM and OES are used, then OES should be configured to use the PDP embeddedin
OAM.
C.
OES includes a security provider for Oracle WebLogic Server that will handle policy decisions
locally.
D.
Oracle Advanced Security includes a universal stand-alone PDP that provides access for Java,
NET, and SOAP clients.
E.
It is best to use a local PDP whenever possible to avoid network calls between the PEP and
PDP. A remote PDP ran be used when a local PDP is not available for the client technology, or for
other various exceptional cases.
Explanation:
A, E:Policy decision points (PDPs) for computingnodes located outside the secure
environment. For example, web servers located in theDMZ might leverage a central PDP,
deployed behind a firewall. Policy enforcement is
still local to the web servers but decisions are made remotely.
C: OES integrates with OPSS (and other security platforms) to enable the use of local PEPs and
PDPs. OPSS is a standards-based Java framework of plug-in security services and APIs.
It provides the platform security for Oracle WebLogic Server.
Note: OES is a fine-grained authorization engine that simplifies the management of
complex entitlement policies. The authorization engine includes both local and
centralized PDPs. OES integrates with OPSS (and other security platforms) to
enable the use of local PEPs and PDPs. Policy administration is centralized,
providing a broad perspective of access privileges, yet delegated, enabling
multiple stakeholders to maintain the policies that affect them.
Note 2: PDP – Policy Decision Point, where policy is evaluated and a decision is made.
PDPs may be distributed throughout the IT environment and physically
co-located with PEPs to avoid network latency.Note 3: PEP – Policy Enforcement Point, where permit/deny access decisions are enforced.
This is generally included in SOA Service or application infrastructure, such as
J2EE containers that manage security. It may also be represented as custom code
within a SOA Service or application, providing fine grained entitlements
evaluation.
Reference: Oracle Reference Architecture, Security , Release 3.1