Administration Module
The Administration Module provides the tools needed to manage each component of the system, such as databases or policies, in a user-friendly way. This module is available via web browser: http://your_server_url:port/mistral/admin.
The administration console is protected with user/password method.
- User: mistral_admin
- Password: It was setted in the installation process.
To change the password you have to execute from your mistral installation folder:
java -jar ./utils/SetPassword/lib/passwordEncoder.jar [newPassword] > ./passwd
After changing the password, ensure the passwd file to be only writable by the system administrator.
The main screen shows a menu with the different features you can manage:
- Database Configuration: Create the database structure needed to deploy Mistral-IdM.
- User and Roles Management: Create, Edit or Delete users which make use of the system, as well as the roles linked to these users.
- Resources Management: Define the resources to be protected.
- Policies Management: Set the Access Control Policies in order to perform the authorization process.
Database Configuration
In this section, you are able to create the needed database structures to work with Mistral-IdM.
- LDAP
- eXist-DB
This software requires an LDAP server containing the user information. In case you already have users defined in your LDAP structure, it is not necessary create a new LDAP structure, you have to configure it, instead (see Configure Mistral-IdM). Furthermore, the "Create a new LDAP structure" button would delete your current LDAP information, so use this option just in case you have a blank LDAP structure.
Mistral-IdM also requires an eXist-db in order to store different policies and role hierarchy. With the eXist-db properly configured, the "Create a new eXist-db database" will create the structure needed to deploy those information. This option will delete any existing Mistral-IdM eXist-db structure, that is, it will delete any role or policy defined in the system, so it should be used just for new installations.
The "Synchronize LDAP and eXist-db" insert the LDAP current user-role information in the eXist-db. It is usefull for making use of existing LDAP structures, which already have user and roles defined.
User and Roles Management
In Mistral-IdM you have to define the end users which will access to the system. That is the authentication process. This end users are stored in the LDAP directory. From this section you are able to create, edit or delete end users, setting their principal attributes, such as real name or password. The end user will be authenticated by their emails.
This section is also in charge of creating, editing or deleting roles, as well as establishing the role hierarchy. Each user should have one or more associated roles, because access control decision will be based on these roles.
Resources Management
Resources could be anything that a Service Provider offers. As they are web resources, the are identified by URLs. The resources have to be defined in the system in order to permit establishing access control policies based on them.
Resources are grouped in Entries, and these Entries are grouped in Catalogs, following the Web Services Resource Catalog (WS-RC) structure defined by IBM, HP and Microsoft Corporation. So then, to create a new resource definition, you need to create a Catalog, and within it, create a new Entry.
To obtain more information about resource management, see how to protect a resource.
Policies Management
To achieve a complete access control process an authorization procedure should be executed. This authorization process is based on Access Control Policies defined. This policies are managed in this section.
You can define as policies as you need, and each policy defines a set of rules. The rules specify if specific actions, over specific resources, performed by users belonging to specific roles are or not allowed. For instance, it can define that any "teacher"(role) are allowed to "read"(action) the "Log files"(resource). Or it can define that "students"(role) are NOT allowed to perform any action with any application(resources).
When an end user tries to perform an action over a resource, the rules defined will be evaluated in order by the Authorization Provider. So, if there are two conflicting rules, it will take the first applicable.
The policies are defined internally in XACML, making use of the XACML-RBAC profile, but this module abstracts the complexity of this standard.