Mapping Access Manager Roles to Principal Names (Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server 9.0/9.1)

Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server 9.0/9.1

Mapping Access Manager Roles to Principal Names

If you run this agent in J2EE_POLICY mode, map Access Manager roles to the principal names in the respective application's deployment descriptor file (or files):

weblogic.xml
weblogic-ejb-jar.xml

Access Manager roles are represented in UUIDs. For more information on UUIDs, see the following:

A UUID for an Access Manager role is mapped to the respective principal name in the weblogic.xml file or the weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.

Mapping is established by setting the property com.sun.identity.agents.config.privileged.attribute.mapping[] in the J2EE agent AMAgent.properties configuration file.

Note –

Ensure that the keys in the mapping are UUIDs corresponding to your site's Access Manager installation. The values are the principal names in the weblogic.xml file or the weblogic-ejb-jar.xml file.

In previous releases of BEA WebLogic, this mapping is not required. The UUIDs representing Access Manager roles are used directly in the weblogic.xml file or the weblogic-ejb-jar.xml file as principal names.

However, in BEA WebLogic 9.0, a principal name within the weblogic.xml file or the weblogic-ejb-jar.xml file must be of the NMTOKEN format. This format is mandated by the corresponding schema files.

Access Manager UUIDs contain characters, such as the following:

=

,

&

These characters are not in NMTOKEN character sets. Therefore, the UUIDs representing Access Manager roles cannot be used directly as principal names. Instead, they must be mapped to characters in the NMTOKEN character set, which includes letters and digits as well as the following characters (period, hyphen, underscore, and colon):

.

-

_

:

The following examples, which use “\” as an escape character before the special character “=,” illustrate how this property can be set:

com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_manager_role

com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_employee_role

For more information on this property, see the mapping-related attributes in Privileged Attribute Processing Properties.