Sun Java System Access Manager and Sun Java System Federation Manager FAQ: Service Management SDK

• Can I run the Service Management SDK remotely?
• Can I deploy the ampassword application on a server other than the Access Manager server?
• How does access control work in service management in Access Manager?
• How many plug-ins or data stores are supported for service management in Access Manager out of the box?
• What attributes and object classes are added by Access Manager?
• What LDAP operations are supported by the LDAP Version 3 Repository Plug-in?
• What user and group object classes can I add to a user entry in the data store of the LDAP Version 3 Repository Plug-in?
• If I don't use the user management and delegation capabilities, which Access Control Instructions (ACIs) can I delete?

Q: Can I run the Service Management SDK remotely?

Yes, as long as you deem it acceptable that the remote SDK communicates directly with the directory for configuration data through LDAP. From Access Manager 6.3 onward, support for the remote Service Management SDK with the Java API for XML-Based Remote Procedure Call (JAX-RPC) is available.

Q: Can I deploy the ampassword application on a server other than the Access Manager server?

No, Access Manager does not support deployment of ampassword in the Dist-Auth instance or in a stand-alone container.

Q: How does access control work in service management in Access Manager?

Access control for service management is based on a delegation model. Realms enable the delegation of policy management privileges within a realm hierarchy. In service management, Access Manager obtains and evaluates delegation permissions through the com.sun.identity.delegation APIs for read, write, save, and delete operations.

The DelegationPermission parameter specifies an access-control permission on a resource in a realm. The parameter contains a realm name, a service name, a version number, a configuration type, a subconfiguration name, and a set of actions a duly authorized user can perform. Additionally, DelegationPermission contains a map for future extensions.

The DelegationEvaluator parameter evaluates access permissions. Based on the results of the evaluation, Access Manager allows or denies users the privilege of performing actions on the resources of a realm. For more information on setting permissions and rules, see the Access Manager documentation on policies and delegations.

Q: How many plug-ins or data stores are supported for service management in Access Manager out of the box?

Access Manager supports only Sun Java System Directory Server.

Q: What attributes and object classes are added by Access Manager?

See Appendix B in the Sun Java System Access Manager Postinstallation Guide.

Q: What LDAP operations are supported by the LDAP Version 3 Repository Plug-in?

The LDAP Version 3 Repository Plug-in supports four high-level operations: create, delete, edit, and read.

Q: What user and group object classes can I add to a user entry in the data store of the LDAP Version 3 Repository Plug-in?

See Appendix B in the Sun Java System Access Manager Postinstallation Guide.

Q: If I don't use the user management and delegation capabilities, which Access Control Instructions (ACIs) can I delete?

You can delete the ACIs for the following roles:

• Top-level Help Desk Admin
• Top-level Policy Admin
• Organization Admin
• Organization Help Desk Admin
• Container Admin
• Organization Policy Admin
• Group Admin

Be sure to retain the following ACIs:

• "Top-level Admin Role"
• "cn=dsameuser,ou=DSAME Users,dc=cingular,dc=com"
• "cn=puser,ou=DSAME Users,dc=cingular,dc=com"
• "cn=amldapuser,ou=DSAME Users,dc=cingular,dc=com"

Back to top