Entitlement Servers- OverView - In Brief

Hello Friends,

For all u beginners to Oracle Entitlement Server, I would give a brief and a very basic overview on the topic, excluding the installation part in this post. You just have to go through this once to get the most brief and concrete idea of what an entitlement server does and how it achieves the goal of authorization.

This will help get you started. We won't discusses the various topics like PAP, PDP, PEP, PIP, fine-grained authorizaton, ASI in order to keep this first discussion topic simple.

As I said, this would be the basic overview, let's get started!

With the advent and progress of web technology, the demand to get the web resources secured, through time, increased. This included the basic processes like authentication and authorization to a web application.

While authentication process authenticates a particular user and determines if the user is the same as he claims to be, authorization need arises when you need to determine which authenticated user is authorized to assess which resource in an application.
Say for a bank web-site's 'view account balance' link for various users with different roles (like customer,executive,manager,senior manager, etc) and in different groups (like accounts, loans) would have a restricted assess as to who is able to view/use the link.

This process of protecting a resource (the 'view account balance' link) and restricting the access of a particular subject(the authenticated user) to a resource is called authorization process.

To achieve this security measure, complex business logic with the company policies based on the roles and the groups of subjects(users) are coded in the application, which actually make the application bulky and you get a time taking and painful response time.

So now the idea is to separate this complex security logic from the actual application in order to make the application optimized in terms of performance.

This task of entitlement (entitlement: which user is entitled to which/what resource in an application) if achieved through the Entitlement Servers. An entitlement server would intercept an incoming request, authorize the request, by mapping the user with her roles, groups to which she is assigned and with the policy of the organization, finally granting/denying access to a particular resource of the application (in our case the banking web-site).

This entitlement server is available as a plug-in for different platforms and for a range of Application containers live Weblogic and Tomcat, which can be put as a wrapper around the application that is to be secured, intercepting the incoming request and allowing access to the particular resource of the application.

The entitlement server, for this process of authorization, queries various external resources like LDAP server(where information of subjects/users are stored) and the Policy Database(where the organizational policies are stored). The result of these queries are stored in caches (different for different modules of Entitlement Servers, like the Entitlement Administration Server and Security Service Modules/SSMs). This adds an advantage to the performance as the Administration Server and the SSMs reads the cache for the policy decisions that it had made earlier, reducing the external reads. The SSMs can also function independently of the external resources and the Administration Server due to the caching mechanisms.

Another advantage to this security measure is that every time there is some change in the security policy of the organization or a configuration in the security paradigms, a change is required at a central location rather than disturbing the whole application.

In simple words, think of it as the user inputs the data via the request, the application implements the business logic on the input request data and then processes the same and gives response in terms of permission to the user.

This is the basic concept that we achieve through Entitlement Servers.

Reply/comments/queries are most welcome and I would try to help you to the best of my knowledge.