In Oracle Utilities Application Framework, the user identification is actually divided into two parts:
- Authentication Identifier (aka Login Id) - This the identifier used for authentication (challenge/response) for the product. This identifier is up to 256 characters in length and must be matched by the configured security repository for it to be checked against. By default, if you are using Oracle WebLogic, there is an internal LDAP based security system that can be used for this purpose. It is possible to link to external security repositories using the wide range of Oracle WebLogic security providers included in the installation. This applies to Single Sign On solutions as well.
- Authorization Identifier (aka UserId) - This is the short user identifier (up to 8 characters in length) used for all service and action authorization as well as low level access.
The two identifiers are separated for a couple of key reasons:
- Authentication Identifiers can be changed. Use cases like changing your name, business changes etc mean that the authentication identifier needs to be able to be changed. As long as the security repository is also changed then this identifier will be in synchronization for correct login.
- Authentication Identifiers are typically email addresses which can vary and are subject to change. For example, if the company is acquired then the user domain most probably will change.
- Changes to Authentication Identifiers do not affect any existing audit or authorization records. As the authorization user is used for internal processing, after login the authentication identifier, while tracked, is not used for security internally once you have be successfully authenticated.
- Authorization Identifiers are not changeable and can be related to the Authentication Identifier, such as using first initial and first 7 characters of the surname or be randomly generated by an external Identity Management solution.
- One of the main reasons the Authorization Identifier is limited in size is to allow a wide range of security solutions to be hooked into the architecture and provide an efficient means of tracking. For example, the identifier is propagated in the connection across the architecture to allow for end to end tracking of transactions.
Security has been augmented in the last few releases of the Oracle Utilities Application Framework to allow various flexible levels of control and tracking. Each implementation can decide to track what aspects of security they want to track using tools available or using third party tools (if they want that).