Security architecture

To know where you configure security, you must identify the components and their shared network connections to understand the security architecture of Operational Decision Manager.

Figure 1. Operational Decision Manager security architecture
Operational Decision Manager security architecture

On-premises server installation

The diagram shows where Operational Decision Manager is installed on your application server:
  • The following applications and APIs are shared:
    • Decision Center Business console
    • Decision Center Enterprise console
    • Rule Execution Server console
    • Decision Center API
    • Rule Execution Server management API
    • Decision service API
  • The following components are part of the installation, but they are not publicly accessible since they are back-end components:
    • Decision model services

      Decision modeling is a feature introduced in the Decision Center Business console in V8.10.0. It adds a new WAR file, but no new user interface in the Business console.

    • Rule Execution Server
    • Decision Runner
  • Data is stored in databases, and they are not publicly accessible since they are backend components:
    • Decision Center database
    • Rule Execution Server database
    • Decision Warehouse database

    You secure the connections between the applications and data sources (databases and directory services) by configuring Java™ database connectivity (JDBC) over Transport Layer Security (TLS).

    Operational Decision Manager can use your company's directory service. In Decision Center, you can tap your own LDAP directories for authentication purposes, and to import users and groups, and assign permissions to groups. When you use LDAP over SSL, use ldaps://:.

Clients

On the client side of the diagram, you can see the following client applications:
  • Rule Designer is an Eclipse-based development environment that also interacts with the servers to synchronize projects and deploy decision services. This component is included in Operational Decision Manager.
  • Web browsers are used to interact with three Operational Decision Manager web applications:
    • Decision Center Business console
    • Decision Center Enterprise console
    • Rule Execution Server console

    For information about supported web browsers, see the Web Browsers section in the Prerequisites tab in Operational Decision Manager Detailed System Requirements.

  • Any command-line or client-side task to execute administrative tasks, such as ANT tasks, scripts, and cURL commands.
  • Client applications invoke decision services at run time to execute decision services.

Client/server communications

The following table summarizes which Operational Decision Manager component is the client and which is the server in different network communications.

Table 1. Client/server communications
Client Server Purpose
Rule Designer Decision Center Synchronize rule projects.
Rule Designer Rule Execution Server Deploy decision services.
Decision Center

(See Note below this table)

 Rule Execution Server Deploy decision services.
Web browser
  • Decision Center Business console
  • Decision Center Enterprise console
 Author and manage rules.
Web browser Rule Execution Server console Browse and deploy decision services.
Ant tasks
  • Rule Execution Server management API
  • Decision Center API
 Any administrative tasks
Client applications Decision service API Invoke decision services.
Note: In the Decision Center and Rule Execution Server exchange, Decision Center is considered as a client because it connects to Rule Execution Server for deployment.