Centralized Security Policy with AquaLogic Enterprise Security: Part 1
Pages: 1, 2, 3

Sample Application Architecture

Let's pick a very simple example architecture: A WebLogic Portal will invoke data services hosted by AquaLogic Data Services Platform.

A Simple Architecture
Figure 1. Combined ALES, WebLogic Portal, and AquaLogic Data Services Platform architecture

As shown in Figure 1, ALES provides a common security policy repository for both the portal and our data services. We will have SSMs deployed in the WebLogic Portal and AquaLogic Data Services Platform (ALDSP) domains taking policy from this central administration point. Note that while the SSMs communicate with the Admin Server for policy distributions, there is no runtime dependence for their operation. If the Admin Server were to suddenly go away, the SSMs would continue to operate (and even recover from persistent policy storage if they themselves failed).

Avitek Investments

Since ALES needs something to secure, let's pick a simplified problem of account and fund management for an investment bank. Avitek Investments is looking to create a single portal infrastructure that serves the needs of multiple types of users. For example, a customer should be able to log on to the portal to check account balances, a fund manager should be able to log on to monitor fund performance, and a financial advisor should be able to log on to help manage a customer's portfolio. Clearly there will need to be a separation of duties across these roles to make sure customers don't have access to fund manager functionality, and so forth.

Figure 2 shows such a desktop.

FA View of Portal

Figure 2. A financial advisor's view of Avitek Investments Portal

Users on the Avitek Investments Portal are subject to the following rules:

  1. Each role gets a differently configured desktop.
  2. Only "high net worth" customers get a Research Page.
  3. Fund managers can see only funds they are responsible for.
  4. Fund managers in the UK cannot use Fund Operations after 4:00 p.m.
  5. Financial advisors in California cannot view Risk Scores.

Clearly some of these policies need to be enforced in the WebLogic Portal tier, and some need to be enforced in the ALDSP tier. Note that there are even some subtleties around role assignment, namely, customers can be identified as "high net worth" based on the total amount of their accounts.

In this article we won't spend time discussing how to build the Avitek Investments portal; we'll assume it has already been constructed and these new policies need to be applied after the fact. This is a common situation in the real world, as policies change constantly to meet new business demands. Let's now look at how to configure WebLogic Portal and ALDSP to handle this scenario.

Pages: 1, 2, 3

Next Page ยป