This chapter describes Entitlements Administration Application’s policy simulation feature.
The Entitlements Administration Application contains a policy simulation feature that allows you to troubleshoot, test, and understand how policies are enforced on a given application.
To perform a simulation, you specify a resource, action, and user. The simulator responds by displaying the relevant policies and indicates if authorization is allowed or denied. If attribute values were evaluated as part of the policy decision, the simulator allows you to perform additional simulations using different values of your choosing.
The policy simulator is subject to the following conditions:
BEA_HOME\ales32-admin\lib\simulator\providers\ales
.
Prior to running policy simulations, you must create and start a simulator for the SSM where the policies are being enforced. The simulator runs on the Administration Server.
Note: | All existing simulators start when Administration Server is started — and stopped when server stops. |
BEA_HOME\ales32-admin\bin
directory, execute the following command:
createPolicySimulator.sh
| bat <ssm_conf_id> <ws_port> <ARME_port>
<ssm_conf_id>
— Configuration ID of the SSM being simulated<ws_Port>
— Any unused port number for use by the simulator web service.<ARME_Port>
— Any unused port number used to simulate ARME policy distribution
E ample: ./createPolicySimulator.sh asiadmin 7015 7016
BEA_HOME\ales32-admin\simulators\<ssm_conf_id>\bin
and enter:
Note: To stop the simulator, enter stop.sh
| bat
in the same directory.
stop.sh | bat
in the BEA_HOME\ales32-admin\simulators\<
ssm_conf_id
>\bin
directory.BEA_HOME\ales32-admin\simulators\<
ssm_config_id
>\bin
directory.BEA_HOME\ales32-admin\simulators\<
ssm_conf_id
>
directory.
Access the Entitlements Administration Application and do the following:
The application must be bound to the SSM corresponding to the SSM simulator running on the Administration Server.
The relevant policies are evaluated and the simulator displays Allow or Deny as the authorization result. It also provides the following details:
Attributes
Any attribute values that were evaluated as part of the policy decision.
Groups
The user's group current group assignments.
Roles
The roles that are currently assigned to the user by role policies.
Role Policies
The role policies relevant to the selected parameters, including any constraint conditions and results.
Authorization Policies
The authorization policies relevant to the selected parameters, including any constraint conditions and results.
The policy simulator log file is specified in the SSM simulator instance’s log4j.properties
file. For example, if the SSM simulator instance name is my_ssm, the log4j.properties
is located in the following directory:
BEA_HOME\ales32-admin\simulators\<ssm_name>\config
In addition, useful information may be logged in the corresponding Web Service SSM log files.
This section provides a sample policy simulation in the Entitlements Administration Application and describes steps that you can follow to replicate the e ample should you want to do so. The simulated policy is a very basic one, but the inclusion of a constraint provides insight in the power of the simulation feature when more complex policies are involved.
The policy to be simulated is based on the following use case:
An application that lets customers perform online purchases is secured by
policies that allow purchases based on customer ‘status’. The specific policy
to be simulated examines the value of the user’s CustomerStatus attribute and,
if that value is Gold, it creates a response attribute that returns a spending
limit of 1000.00 to the application context.
The simulation is based on the existence of the objects shown in Table 5-1.
To perform the policy simulation:
In an actual deployment, the application must be bound to the SSM corresponding to the SSM simulator running on the Administration Server.
User — John Rogers
Resource — //WepApp/url/inde .jsp
Action — Purchase
The initial policy result is Deny because no CustomerStatus attribute is available.
In the Attributes box, the simulator displays the CustomerStatus dynamic attribute and provides a field for you to simulate policy outcomes using values of your choosing.
Based on the attribute value, the policy returns a deny decision.
The policy outcome is Allow. The Response Name and Value fields indicate that the Limit response attribute was created and used to return “1,000.00” to the application context.