|Oracle® Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition)
11g Release 1 (22.214.171.124.0)
Part Number E20839-01
The information in this chapter is specific to Oracle Fusion Applications only.
This chapter describes how to use Oracle Authorization Policy Manager to upgrade application policies in an LDAP-based domain policy store with the changes introduced by a new release of the application.
Details are explained in the following sections:
First we introduce some terms used throughout this chapter, and then an overview of the process of upgrading the policy store.
The following terms refer to the three policy stores involved in an application policy upgrading. They are also used in the Oracle Authorization Policy Manager user-interface.
Baseline - The original policy store, represented by the XML file
jazn-data.xml and available with the application out-of-the-box. Presumably, this policy store was migrated to the domain policy store when the application was first deployed.
Production - The domain policy store, where the current state of application policies reside. This store is assumed LDAP-based. Presumably, policies in the application stripe in this store has undergone modifications since the application was first deployed.
Application policy upgrading allows security administrators to solve the following problem, with which they are faced every time a new version of an application is released.
Out-of-the-box, an application typically includes the file
jazn-data.xml (baseline policy store) that describes the application policies for that particular version of the application. Typically, at application deployment the baseline policy store is migrated to the domain policy store (production policy store) for the first time.
Thereafter, application policies in the production store may undergo modifications to accommodate evolving requirements; these changes include adding, deleting, or modifying any application-specific security artifact such as roles, grants, resource types, resources, and entitlements.
When a new version of the application is available and before that new version is deployed, a security administrator needs to:
Identify the customizations that have been introduced since the migration of the old application version, that is, the delta between the baseline and the production stores.
Identify the differences between the customized application policies and the policies in the new application version, that is, the delta between the production and patch stores.
Decide, for each difference, which artifact to use.
Oracle Authorization Policy Manager facilitates the resolution of each of the above tasks by providing a security administrator with a user interface that allows him to:
Analyze a new patch, that is, generate all differences.
Inspect and decide, for each difference reported by the analysis, which specification to use.
Apply the patch.
Important:Before patching application policies, make sure that you backup the policy store as explained in Prerequisites to Patching Policies.
The analysis must be performed first. The resolution of changes and conflicts is performed next. These tasks do not have any particular requirements and can be accomplished at different times during one Oracle Authorization Policy Manager session or even across different sessions.
Before applying a patch, however, proceed as follows:
Take off line any WebLogic domain that uses the policy store where the application policies to be patched reside.
Backup the policy store by using either of the following tools:
Oracle Internet Directory
ldifwrite to obtain an LDIF file for the policy store. For an example of use of this command, see Oracle Fusion Middleware Application Security Guide.
Oracle Platform Security Services
migrateSecurityStore to export the policy store into a replica of it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
Now you can apply the patch.
If for any reason the policy store needs to be restored, proceed as follows:
If you have saved the policy store in an LDIF file, use
bulkload to restore it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
If you have exported the policy store, use Oracle Platform Security Services
migrateSecurityStore to restore it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
The Policy Upgrade Management tab, partially illustrated in Figure 7-1, contains the tab Home, where the upgrading process begins and which succinctly describes the steps you follow to upgrade application policies. The first step is to select the application whose policies to upgrade.
To select application policies to patch, proceed as follows:
In the Home tab of the Policy Upgrade Management page, click the button Patch Application at the top left corner of the page to bring up the Patch Application dialog illustrated in Figure 7-2.
In this dialog, select the application to patch from the pull-down Application list. Since this list shows the applications currently deployed in the domain, to allow selecting it, the application must be deployed.
Once you selected the application, the dialog takes a different form according to whether or not the application selected has a patching in progress:
If the application has a patching in progress, then you can continue with it or abort it.
Otherwise, if the application does not have a patching in progress, then you can initiate a new patching process by selecting the Baseline file, the Patch file, and then click OK. The only Patch Method available in this release is a 3-way DIFF, which considers differences between the baseline, the production, and the patch stores.
The Baseline specifies the location of the baseline policy store.
The Patch file specifies the location of the patch policy store.
From here on, it is assumed that you have started a new patching process. Oracle Authorization Policy Manager displays an indicator showing the progress of the analysis phase in the Patch Application dialog. Once this phase is completed, the Patch Application dialog displays the statistics of the analysis as illustrated in Figure 7-3.
To launch the patch resolution phase, check the box Launch Patch Resolution (checked by default), and then click OK.
Oracle Authorization Policy Manager then creates a new tab (named after the application display name) that contains the details of the results, that is, the conflicts and differences encountered, in two sub-tabs:
General - This tab displays the files you have specified at the start of the patching and a chart showing the number changes and conflicts found, per artifacts, between the baseline and the patch stores. For details about these terms, see Changes and Conflicts. Figure 7-4 illustrates the General tab.
To terminate the current patching process and to delete the analysis data gathered thus far, click the button Discard; once the patch is discarded, the tab for the application is deleted from the Patching tab.
The Patch Details tab, illustrated partially in Figure 7-5, contains two major areas: the left area displays a hierarchical overview of changes and conflicts per artifact that resulted from the comparisons; the right area displays the details of changes and conflicts for an artifact selected from the left area.
To view the specifics of an object's differences, click Changes or Conflicts under the object; the differences are then displayed in the right area of the tab. Each row in the table identifying a difference has a type that indicates whether the difference is a change (double arrow icon) or a conflict (exclamation mark icon). For details about these terms, see Changes and Conflicts.
To view a change or conflict for an artifact, select the corresponding icon (Changes or Conflicts) under the artifact. All changes or conflicts are then displayed in a table at the top of the page.
Figure 7-6 partially illustrates the page showing role conflicts.
To view conflict details for a specific item in the table, select the item to display the different specifications found in the 3-Way DIFF Details area. Figure 7-7 illustrates the differences for a role.
The Status column shows whether a change or a conflict has been resolved (green check icon) or not (gray square icon).
The Related Issues column shows whether a change or conflict has implied dependencies; to view them, click the icon in this column to display the Patch Artifact Dependencies dialog, which displays, among other information, the reasons why other artifacts would be affected when resolving a difference for an artifact.
Figure 7-8 partially illustrates the dependencies implied by differences in a pair of roles. Specifically, it illustrates a baseline role App_Z that is not modified in the production store but modified in the patch store as follows: (a) the display name and the role description are changed; and (b) the new role App_Znew is a child of the role App_Z.
A patch difference identifies a disparity between the specifications of a security artifact in the some of the policy stores involved in the analysis. Oracle Authorization Policy Manager lists patch differences as changes or conflicts. These terms and how to resolve them are explained in the following sections:
To better explain the terminology used, assume that Abase, Aprod, and Apatch denote the states of an artifact in the baseline, production, and patch stores, respectively.
A patch difference is called a change when Abase and Apatch are equal, and Aprod is different to Apatch.
A patch difference is called a conflict when Abase and Apatch are different, and Aprod is different from Apatch.
Resolving an artifact change or conflict means choosing which specification to use: the one in the production store or the one in the patch store.
Even though there is a default resolution for each artifact change or conflict, it is recommended that all changes and conflicts be resolved manually before you proceed forward to applying the patch.
To resolve a change or conflict for an artifact, proceed as follows:
Select the artifact in the Conflicts table, to display the specifications for the artifact found in each of the three stores at the bottom of the page.
Inspect specification differences and decide which one to use; to use the production store, click the button Use Production; to use the specification in the patch store, click the button Use Patch.
Important Note:The decision that you make in this step may imply necessary changes to other artifacts. These changes, necessary to preserve data consistency, are called dependencies.
Oracle Authorization Policy Manager displays the dependencies that a decision implies and requests your confirmation before setting the value.
The decision value set for a change or conflict can be reset at any time. To any change or conflict left unresolved, Oracle Authorization Policy Manager sets one of the following default values:
For a change, Use Patch.
For a conflict, Use Production.
The procedure in this section assumes that:
All changes and conflicts reported in the Patch Checklist of the Patch Details tab have been resolved (manually or by default).
The prerequisites stated in Prerequisites to Patching Policies are met.
To apply a patch, proceed as follows:
Click the button Apply Patch in the application's patching tab to initiate the patching process, which will modify the application policy stripe in the domain LDAP store.
Once the application of the patch is completed, you are ready to deploy the new version of the application.
Make sure that when deploying it, the automatic migration of policies is turned off so that the just patched application policies are not modified when the application is deployed.
For details about how to manage the migration of policies when the application is deployed with Oracle Enterprise Manager Fusion Middleware Control, see Oracle Fusion Middleware Application Security Guide