Skip Headers
Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)

Part Number E10043-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B File-Based Identity and Policy Store Reference

This appendix describes the elements and attributes in system-jazn-data.xml, which is the default store for file-based identity and policy stores in Oracle Platform Security Services.

Note:

The file-based identity store is supported for Java SE applications only.

This appendix covers the following topics:

B.1 Hierarchy of Elements in system-jazn-data.xml

This section shows the element hierarchy of system-jazn-data.xml, or an application-specific jazn-data.xml file. The direct subelements of the <jazn-data> root element are:

Note:

The <jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.

Table B-1 Hierarchy of Elements in system-jazn-data.xml

Hierarchy Description
<jazn-data>

This is the top-level element in the system-jazn-data.xml file.

<jazn-realm>  {0 or 1}
        <realm>  {0 or more}
            <name>  {1}
            <users>  {0 or 1}
                <user>  {0 or more}
                    <name>  {1}
                    <display-name>  {0 or 1}
                    <description>  {0 or 1}
                    <guid>  {0 or 1}
                    <credentials>  {0 or 1}
            <roles>  {0 or 1}
                <role>  {0 or more}
                    <name>  {1}
                    <display-name>  {0 or 1}
                    <description>  {0 or 1}
                    <guid>  {0 or 1}
                    <members>  {0 or 1}
                        <member>  {0 or more}
                            <type>  {1}
                            <name>  {1}
                    <owners>  {0 or 1}
                        <owner>  {0 or more}
                            <type>  {1}
                            <name>  {1}

The <jazn-realm> section specifies security realms, and the users and enterprise groups (as opposed to application-level roles) included in each realm.

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                |   <app-role> {1 or more}
                |       <name> {1}
                |       <class> {1}
                |       <display-name> {0 or 1}
                |       <description> {0 or 1}
                |       <guid> {0 or 1}
                |       <uniquename> {0 or 1}
                |       <extended-attributes> {0 or 1}
                |       |   <attribute> {1 or more}
                |       |       <name> {1}
                |       |       <values> {1}
                |       |           <value>  {1 or more}
                |       <members> {0 or 1}
                |           <member> {1 or more}
                |               <name> {1}
                |               <class> {1}
                |               <uniquename> {0 or 1}
                |               <guid> {0 or 1}
                <role-categories>
                |   <role-category>
                |      <name>
                |      <display-name>
                |      <description>
                |      <members>
                |         <role-name-ref>
                <resource-types>
                |   <resource-type>
                |      <name>
                |      <display-name>
                |      <description>
                |      <provider-name>
                |      <matcher-class>
                |      <actions-delimiter>
                |      <actions>
                <resources>
                |    <resource>
                |       <name>
                |       <display-name>
                |       <description>
                |       <type-name-ref>
                <permission-sets>
                |   <permission-set>
                |       <name>
                |       <member-resources>
                |          <member-resource>      
                |              <resource-name>
                |              <type-name-ref>
                |              <actions>
                <jazn-policy> {0 or 1}
                |   <grant> {0 or more}
                |       <description> {0 or 1}
                |       <grantee> {0 or 1}
                |       |   <principals> {0 or 1}
                |       |       <principal> {0 or more}
                |       |           <name> {1}
                |       |           <class> {1}
                |       |           <uniquename> {0 or 1}
                |       |           <guid> {0 or 1}
                |       |   <codesource> {0 or 1}
                |       |       <url> {1}
                |       <permissions> {0 or 1}
                |           <permission> {1 or more}
                |               <class> {1}
                |               <name> {0 or 1}
                |               <actions> {0 or 1}

The <policy-store> section configures application-level policies. You can define roles at the application level, and members in the roles. Members can be users or roles.

When <jazn-policy> is specified under the <application> element, it specifies policies at the application level.

<jazn-policy> can also appear under the <jazn-data> element, in which case it specifies policies at the system level.

<jazn-policy> {0 or 1}
       <grant> {0 or more}
          <description> {0 or 1}
          <grantee> {0 or 1}
          |   <principals> {0 or 1}
          |      <principal> {0 or more}
          |         <name> {1}
          |         <class> {1}
          |         <uniquename> {0 or 1}
          |         <guid> {0 or 1}
          |   <codesource> {0 or 1}
          |      <url> {1}
          <permissions> {0 or 1}
              <permission> {1 or more}
                 <class> {1}
                 <name> {0 or 1}
                 <actions> {0 or 1}
          <permission-sets>
          |   <permission-set>
          |      <name>

When the <jazn-policy> element is located under the <jazn-data> element, it specifies policies at the system-level.

<jazn-policy> can also appear under the <application> element, in which case it specifies policies at the application level.


 

B.2 Elements and Attributes of system-jazn-data.xml

This section describes the elements and attributes in the system-jazn-data.xml file.

Notes:

  • You can update most settings in system-jazn-data.xml through Oracle Enterprise Manager Fusion Middleware Control.


<actions>

This element specifies the operations permitted by the associated permission class. Values are case-sensitive and are specific to each permission implementation. Examples of actions are "invoke" and "read,write".

Parent Element

<permission>

Child Elements

None

Occurrence

Optional, zero or one:

<jazn-policy> {0 or 1}
    <grant> {0 or more}
       <description> {0 or 1}
       <grantee> {0 or 1}
           <principals> {0 or 1}
           ...
           <codesource> {0 or 1}
              <url> {1}
       <permissions> {0 or 1}
           <permission> {1 or more}
              <class> {1}
              <name> {0 or 1}
              <actions> {0 or 1}

Examples

See <jazn-policy> for examples.


<actions-delimiter>

This element specifies the character used to separate the actions of the associated resource type.

Parent Element

<resource-types>

Child Elements

<name>, <display-name>, <description>, <actions><roles>, <users>

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <resource-types>
                   <resource-type>
                      <name>
                      <display-name>
                      <description>
                      <provider-name>
                      <matcher-class>
                      <actions-delimiter>
                      <actions>

Example

For an example, see <resource-type>.


<app-role>

This element specifies an application role.

Required subelements specify the following:

Optional subelements can specify the following:

Parent Element

<app-roles>

Child Elements

<class>, <description>, <display-name>, <guid>, <members>, <name>, <uniquename>

Occurrence

Required, one or more:

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Examples

See <policy-store> for examples.


<app-roles>

This element specifies a set of application roles.

Parent Element

<application>

Child Elements

<app-role>

Occurrence

Optional, zero or one:

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                ...

Example

See <policy-store> for examples.


<application>

This element specifies roles and policies for an application.

Required subelements specify the following information for an application:

Optional subelements can specify the following:

Parent Element

<applications>

Child Elements

<app-roles>, <description>,, <jazn-policy>, <name>, <permission-sets>, <resource-types>, <resources>, <role-categories>

Occurrence

Required, one or more:

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                ...

Example

See <policy-store> for examples.


<applications>

This element specifies a set of applictions.

Parent Element

<policy-store>

Child Elements

<application>

Occurrence

Optional, zero or one

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
        ...

Example

See <policy-store> for an example.


<attribute>

This element specifies an attribute of an application role.

Parent Element

<extended-attributes>

Child Elements

<name>, <values>

Occurrence

Required, one or more:

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                            <guid> {0 or 1}

<class>

This element specifies several values depending on its location in the configuration file:

Parent Element

<app-role>, <member>, <principal>, or <permission>

Child Elements

None

Occurrence

Required, one only

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    ...
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}
<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                ...
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> and <policy-store> for examples.


<codesource>

This element specifies the URL of the code to which permissions are granted.

The policy configuration can also include a <principals> element, in addition to the <codesource> element. Both elements are children of a <grantee> element and they specify who or what the permissions in question are being granted to.

For variables that can be used in the specification of a <codesource> URL, see <url>.

Parent Element

<grantee>

Child Elements

<url>

Occurrence

Optional, zero or one

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<credentials>

This element specifies the authentication password for a user. The credentials are, by default, in obfuscated form.

Parent Element

<user>

Child Elements

None

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}

Example

See <jazn-realm> for examples.


<description>

This element specifies a text string that provides textual information about an item. Depending on the parent element, the item can be an application role, application policy, permission grant, security role, or user.

Parent Element

<app-role>, <application>, <grant>, <role>, or <user>

Child Elements

None

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                ...
                <description>  {0 or 1}
                ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                ...
                <description>  {0 or 1}
                ...
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                ...
                    <description> {0 or 1}
<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}

Example

The fmwadmin user might have the following description:

<description>User with administrative privileges</description>

See <jazn-realm> for additional examples.


<display-name>

This element specifies the name of an item typically used by a GUI tool. Depending on the parent element, an item can be an application role, user, or enterprise group.

Parent Element

<app-role>, <role>, or <user>

Child Elements

None

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                ...
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}

Example

The fmwadmin user might have the following display name:

<display-name>Administrator</display-name>

See <jazn-realm> for additional examples.


<extended-attributes>

This element specifies attributes of an application role.

Parent Element

<app-role>

Child Elements

<attribute>

Occurrence

Optional, zero or one

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Example

<app-roles>
   <app-role>
      <name>Knight</name>
      <display-name>Fellowship For the Ring</display-name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <extended-attributes>
         <attribute>
         <name>SCOPE</name>
         <values>
            <value>Part-I</value>
         </values>
         </attribute>
      </extended-attributes>
   </app-role>

<grant>

This element specifies the recipient of the grant - a codesource, or a set of principals, or both- and the permissions assigned to it.

Parent Element

<jazn-policy>

Child Elements

<description>, <grantee>, <permissions>, <permission-sets>

Occurrence

Optional, zero or more

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<grantee>

This element, in conjunction with a parallel <permissions> element, specifies who or what the permissions are granted to: a set of principals, a codesource, or both.

Parent Element

<grant>

Child Elements

<codesource>, <principals>

Occurrence

Optional, zero or one

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<guid>

This element is for internal use only. It specifies a globally unique identifier (GUID) to reference the item.

Depending on the parent element, the item to be referenced may be an application role, application role member, principal, enterprise group, or user. It is typically used with an LDAP provider to uniquely identity the item (a user, for example). A GUID is sometimes generated and used internally by Oracle Platform Security Services, such as in migrating a user or role to a different security provider. It is not an item that you would set yourself.

Parent Element

<app-role>, <member>, <principal>, <role>, or <user>

Child Elements

None

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                ...
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}
<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      ...

Example

See <jazn-realm> for examples.


<jazn-data>

This element specifies the top-level element in the system-jazn-data.xml file-based policy store.

Attributes

Name Description

schema-major-version

Specifies the major version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 11 for use with Oracle Fusion Middleware 11g.

schema-minor-version

Specifies the minor version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 0 for use with the Oracle Fusion Middleware 11.1.1 implementation.


Parent Element

n/a

Child Elements

<jazn-policy>, <jazn-realm>, <policy-store>

Occurrence

Required, one only

<jazn-data ... >  {1}
    <jazn-realm>  {0 or 1}
    ...
<policy-store> {0 or 1}
    ...
<jazn-policy> {0 or 1}
    ...

Example

<jazn-data
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:noNamespaceSchemaLocation=
                     "http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
...
</jazn-data

<jazn-policy>

This element specifies policy grants that associate grantees (principals or codesources) with permissions.

This element can appear in two different locations in the system-jazn-data.xml file:

Parent Element

<application> or <jazn-data>

Child Elements

<grant>

Occurrence

Optional, zero or one

<jazn-data> {1}
    <jazn-policy> {0 or 1}
       <grant> {0 or more}
          <description> {0 or 1}
          <grantee> {0 or 1}
              <principals> {0 or 1}
              ...
              <codesource> {0 or 1}
                 <url> {1}
          <permissions> {0 or 1}
              <permission> {1 or more}
                 <class> {1}
                 <name> {0 or 1}
                 <actions> {0 or 1}

Example

Example B-1 <jazn-policy>

<jazn-policy>
        <grant>
            <grantee>
                <principals>
                    <principal>
                        <class>
                           oracle.security.jps.service.policystore.TestUser
                        </class>
                        <name>jack</name>
                    </principal>
                    <principal>
                        <class>
                           oracle.security.jps.service.policystore.TestUser
                        </class>
                        <name>jill</name>
                    </principal>
                </principals>
                <codesource>
      <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url>
                </codesource>
            </grantee>
            <permissions>
                <permission>
                    <class>oracle.security.jps.JpsPermission</class>
                    <name>getContext</name>
                </permission>
                <permission>
                    <class>java.io.FilePermission</class>
                    <name>/foo</name>
                    <actions>read,write</actions>
                </permission>
            </permissions>
        </grant>
    </jazn-policy>

Example B-2 <jazn-policy>

<jazn-policy>
        <grant>
            <grantee>
                <principals>
                    <principal>
                        <class>
                           oracle.security.jps.service.policystore.TestAdminRole
                        </class>
                        <name>Farm=farm1,name=FullAdministrator</name>
                    </principal>
                </principals>
                <codesource>
                    <url>file://some-file-path</url>
                </codesource>
            </grantee>
            <permissions>
                 permission>
                    <class>javax.management.MBeanPermission</class>
                    <name>
              oracle.as.management.topology.mbeans.InstanceOperations#getAttribute
                    </name>
                    <actions>invoke</actions>
                </permission>
            </permissions>
        </grant>
    </jazn-policy>

<jazn-realm>

This element specifies security realms and the users and enterprise groups (as opposed to application-level roles) they include, and is the top-level element for user and role information

Attribute

Name Description

default

Specifies which of the realms defined under this element is the default realm. The value of this attribute must match a <name> value under one of the <realm> subelements.

Values: string

Default: n/a (required)


Parent Element

<jazn-data>

Child Elements

<realm>

Occurrence

Optional, zero or one

<jazn-data>  {1}
    <jazn-realm>  {0 or 1}
        <realm>  {0 or more}
            <name>  {1}
            <users>  {0 or 1}
            ...
            <roles>  {0 or 1}
            ...

Example

<jazn-data ... >
    ...
    <jazn-realm default="jazn.com">
        <realm>
            <name>jazn.com</name>
            <users>
                <user deactivated="true">
                    <name>anonymous</name>
                    <guid>61FD29C0D47E11DABF9BA765378CF9F3</guid>
                    <description>The default guest/anonymous user</description>
                </user>
                <user>
                    <name>developer1</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>developer2</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>manager1</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>manager2</name>
                    <credentials>!password</credentials>
                </user>
                <!-- these are for testing the admin role hierachy. -->
                <user>
                    <name>farm-admin</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>farm-monitor</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>farm-operator</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>farm-auditor</name>
                    <credentials>!password</credentials>
                </user>
                <user>
                    <name>farm-auditviewer</name>
                    <credentials>!password</credentials>
                </user>
            </users>
            <roles>
                <role>
                    <name>users</name>
                    <guid>31FD29C0D47E11DABF9BA765378CF9F7</guid>
                    <display-name>users</display-name>
                    <description>users role for rmi/ejb access</description>
                </role>
                <role>
                    <name>ascontrol_appadmin</name>
                    <guid>51FD29C0D47E11DABF9BA765378CF9F7</guid>
                    <display-name>ASControl App Admin Role</display-name>
                    <description>
                       Application Administrative role for ASControl
                    </description>
                </role>
                <role>
                    <name>ascontrol_monitor</name>
                    <guid>61FD29C0D47E11DABF9BA765378CF9F7</guid>
                    <display-name>ASControl Monitor Role</display-name>
                    <description>Monitor role for ASControl</description>
                </role>
                <role>
                    <name>developers</name>
                    <members>
                        <member>
                            <type>user</type>
                            <name>developer1</name>
                        </member>
                        <member>
                            <type>user</type>
                            <name>developer2</name>
                        </member>
                    </members>
                </role>
                <role>
                    <name>managers</name>
                    <members>
                        <member>
                            <type>user</type>
                            <name>manager1</name>
                        </member>
                        <member>
                            <type>user</type>
                            <name>manager2</name>
                        </member>
                    </members>
                </role>
            </roles>
        </realm>
    </jazn-realm>
    ...
</jazn-data>

<matcher-class>

This element specifies the fully qualified name of the class within a resource type; queries for resources of this type delegate to this matcher class. Values are case-sensitive.

Parent Element

<resource-type>

Child Elements

None

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories> {0 or 1}
                ...
                <resource-types> {0 or 1}
                   <resource-type> {1 or more}
                      <name> {1}
                      <display-name> {1}
                      <description> {0 or 1}
                      <provider-name> {1}
                      <matcher-class> {1}
                      <actions-delimiter> {1}
                      <actions> {1 or more}

Example

For an example, see <resource-type>.


<member>

This element specifies the members of a set, such as a <role> or an<app-role> element:

Parent Element

<members>

Child Elements

Occurrence

Optional, zero or more

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                    ...
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Example

See <jazn-realm> and <policy-store> for examples.


<member-resource>

This element specifies resources for a permission set.

Parent Element

<member-resources>

Child Elements

<resource-name>, <type-name-ref>,<actions>

Occurrence

Required within <member-resources>, one or more.

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <permission-sets>
                   <permission-set>
                       <name>
                       <member-resources>
                          <member-resource>  
                              <resource-name>
                              <type-name-ref>
                              <actions>

Example

For an example, see <permission-set>.


<member-resources>

This element specifies a set of member resources.

Parent Element

<permission-set>

Child Elements

<member-resource>

Occurrence

Required within <permission-sets>; one or more.

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <permission-sets>
                   <permission-set>
                       <name>
                       <member-resources>
                          <member-resource>    
                              <resource-name>
                              <type-name-ref>
                              <actions>

Example

For an example, see <permission-set>.


<members>

This element specifies a set of members.

Parent Element

<role>, <app-role>

Child Elements

<member>

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                    ...
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Example

See <jazn-realm> and <policy-store> for examples.


<name>

This element has different uses, depending on its location in the file:

Parent Element

<app-role>, <application>, <attribute>, <member>, <owner>, <permission>, <principal>, <realm>, <role>, or <user>

Child Elements

None

Occurrence

Required within any parent element other than <permission>, one only; optional within <permission>, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}
<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}
<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

<application>
   <name>peanuts</name>
   <app-roles>
      <app-role>
         <name>snoopy</name>
         <display-name>application role snoopy</display-name>
         <class>oracle.security.jps.service.policystore.ApplicationRole</class>
         <members>
            <member>
 
.......

See <jazn-policy>, <jazn-realm>, and <policy-store> for examples.


<owner>

This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.

An owner is a user or another enterprise group. The <type> subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.

Note:

To create a group owner in Oracle Internet Directory, use the Oracle Delegated Administration Services. For external (third-party) LDAP servers, set values for the group's owner attribute through ldapmodify or tools of the particular directory server.

Parent Element

<owners>

Child Elements

<name>, <type>

Occurrence

Optional, zero or more

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}

<owners>

This element specifies a set of owners.

Parent Element

<role>

Child Elements

<owner>

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}

<permission>

This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.

Parent Element

<permissions>

Child Elements

<actions>, <class>, <name>

Occurrence

Required within parent element, one or more

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<permissions>

This element specifies a set of permissions.

The <permissions> element (used in conjunction with a parallel <grantee> element) specifies the permissions being granted, through a set of <permission> subelements.

Note:

The system-jazn-data.xml schema definition does not specify this as a required element, but the Oracle Platform Security runtime implementation requires its use within any <grant> element.

Parent Element

<grant>

Child Elements

<permission>

Occurrence

Optional, zero or one

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<permission-set>

A permission set or entitlement specifies a set of permissions.

Parent Element

<permission-sets>

Child Elements

<name>

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <permission-sets>
                   <permission-set>
                       <name>
                       <member-resources>
                          <member-resource>    
                              <resource-name>
                              <type-name-ref>
                              <actions>

Example

The following fragment illustrates the configuration of a permission set (or entitlement):

<permission-sets>
  <permission-set>
    <name>permsetName</name>
    <member-resources>
      <member-resource>
         <type-name-ref>TaskFlowResourceType</type-name-ref>         <resource-name>resource1</resource-name>
         <actions>customize,view</actions>
      </member-resource>
    </member-resources>
  </permission-set>
</permission-sets>

Note the following points about a permission set:

In addition, the following strings in a permission set entry conform to the case sensitivity rules:


<permission-sets>

This element specifies a set of permission sets.

Parent Element

<application>

Child Elements

<permission-set>

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <permission-sets>
                   <permission-set>
                       <name>
                       <member-resources>
                          <member-resource>    
                              <resource-name>
                              <type-name-ref>
                              <actions>

Example

For an example, see <permission-set>.


<policy-store>

This element configures application-level policies, through an <applications> subelement. Under the <applications> element is an <application> subelement for each application that is to have application-level policies. The policies are specified through a <jazn-policy> subelement of each <application> element.

Note:

The <jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.

Parent Element

<jazn-data>

Child Elements

<applications>

Occurrence

Optional, zero or one

<jazn-data>  {1}
    <policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
            ...

Example

<jazn-data ... >
    ...
    <policy-store>
        <!--  application policy -->
        <applications>
            <application>
                <name>policyOnly</name>
                <jazn-policy>
                   ...
                </jazn-policy>
            </application>
            <application>
                <name>roleOnly</name>
                <app-roles>
                    <app-role>
                        <name>Fellowship</name>
                        <display-name>Fellowship of the Ring</display-name>
                        <class>
                           oracle.security.jps.service.policystore.ApplicationRole
                        </class>
                    </app-role>
                    <app-role>
                        <name>King</name>
                        <display-name>Return of the King</display-name>
                        <class>
                           oracle.security.jps.service.policystore.ApplicationRole
                        </class>
                    </app-role>
                </app-roles>
            </application>
            <application>
                <app-roles>
                    <app-role>
                        <name>Farm=farm1,name=FullAdministrator</name>
                        <display-name>farm1.FullAdministrator</display-name>
                        <guid>61FD29C0D47E11DABF9BA765378CF9F2</guid>
                        <class>
                           oracle.security.jps.service.policystore.ApplicationRole
                        </class>
                        <members>
                            <member>
                                <class>
             oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl
                                </class>
                                <name>admin</name>
                            </member>
                        </members>
                    </app-role>
                </app-roles>
                <jazn-policy>
                   ...
                </jazn-policy>
            </application>
            ...
        </applications>
    </policy-store
    ....
</jazn-data

See <jazn-policy> for examples of that element.


<principal>

This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.

Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).

For details about how principal names can be compared, see Section 2.7, "Principal Name Comparison Logic."

Parent Element

<principals>

Child Elements

<class>, <guid>, <name>, <uniquename>

Occurrence

Optional, zero or more

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<principals>

This element specifies a set of principals.

For policy configuration, a <principals> element and/or a <codesource> element are used under a <grantee> element to specify who or what the permissions in question are being granted to. A <principals> element specifies a set of principals being granted the permissions.

For a subject to be granted these permissions, the subject should include all the specified principals.

Parent Element

<grantee>

Child Elements

<principal>

Occurrence

Optional, zero or one

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

See <jazn-policy> for examples.


<provider-name>

This element specifies the name of a resource type provider. The resource resides in a location external to the OPSS policy store. Values are case-insensitive.

Parent Element

<resource-type>

Child Elements

None

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <resource-types>
                   <resource-type>
                      <name>
                      <display-name>
                      <description>
                      <provider-name>
                      <matcher-class>
                      <actions-delimiter>
                      <actions>

Example

For an example, see <resource-type>.


<realm>

This element specifies a security realm, and the users and roles that belong to the realm.

Parent Element

<jazn-realm>

Child Elements

<name>, <roles>, <users>

Occurrence

Optional, zero or more

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
        ...

Example

See <jazn-realm> for an example.


<resource>

This element specifies an application resource and contains information about the resource.

Parent Element

<resources>

Child Elements

<name>, <description>, <display-name>, <type-name-ref>.

Occurrence

One of more required under <resources>.

<resources> (0 or more)
    <resource> (1 or more)
       <name> (1)
       <display-name> (1)
       <description> {0 or 1}
       <type-name-ref> (1)

Example

The following fragment illustrates the configuration of a resource (instance):

<resources>
  <resource>
    <name>resource1</name>
    <display-name>Resource1DisplayName</display-name>
    <description>Resource1 Description</description>
    <type-name-ref>TaskFlowResourceType</type-name-ref>
  </resource>
</resources>

Note the following points about case sensitivity of various strings in a resource entry:


<resources>

This element specifies a collection of application resources.

Parent Element

<application>

Child Elements

<resource>

Occurrence

Optional, zero or more

<resources> (0 or more)
    <resource> (1 or more)
       <name> (1)
       <display-name> (1)
       <description> {0 or 1}
       <type-name-ref> (1)

Example

For an example, see <resource>.


<resource-name>

This element specifies a member resource in a permission set. Values are case-sensitive.

Parent Element

<member-resource>

Child Elements

None

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <permission-sets>
                   <permission-set>
                       <name>
                       <member-resources>
                          <member-resource>    
                              <resource-name>
                              <type-name-ref>
                              <actions>

Example

For an example, see <permission-set>.


<resource-type>

This element specifies the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.

Parent Element

<resource-types>

Child Elements

<name>, <display-name>, <description>, <actions>, <actions-delimiter>, <matcher-class>, <provider-name>.

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <resource-types>
                   <resource-type>
                      <name>
                      <display-name>
                      <description>
                      <provider-name>
                      <matcher-class>
                      <actions-delimiter>
                      <actions>

Example

The following fragment illustrates the configuration of a resource type:

<resource-types>
  <resource-type>
    <name>TaskFlowResourceType</name>
    <display-name>TaskFlowResourceType_disp</display-name>
    <description>Resource Type for Task Flow</description>
    <provider-name>resTypeProv</provider-name>
    <matcher-class>
oracle.adf.controller.security.TaskFlowPermission</matcher-class>
    <actions-delimiter>,</actions-delimiter>
    <actions>customize,view</actions>
  </resource-type>
</resource-types>

The following points apply to the specification of a resource type:


<resource-types>

This element specifies a set of resource types.

Parent Element

<application>

Child Elements

<resource-type>

Occurrence

Optional, zero or more

<policy-store> {0 or 1}
        <applications> {0 or 1}
            <application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                ...
                <role-categories>
                ...
                <resource-types>
                   <resource-type>
                      <name>
                      <display-name>
                      <description>
                      <provider-name>
                      <matcher-class>
                      <actions-delimiter>
                      <actions>

Example

For an example, see <resource-type>.


<role>

This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.

Parent Element

<roles>

Child Elements

<description>, <display-name>, <guid>, <members>, <name>, <owners>

Occurrence

Optional, zero or more

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}

Example

See <jazn-realm> for examples.


<role-categories>

This element specifies the parent element of <role-category> elements.

Parent Element

<application>

Child Elements

<role-category>

Occurrence

Optional, zero or one

<application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                                  <app-role> {1 or more}
                      <name> {1}
                      <class> {1}
                       <display-name> {0 or 1}
                       <description> {0 or 1}
                       <guid> {0 or 1}
                       <uniquename> {0 or 1}
                       <extended-attributes> {0 or 1}
                          <attribute> {1 or more}
                              <name> {1}
                              <values> {1}
                                  <value>  {1 or more}
                       <members> {0 or 1}
                           <member> {1 or more}
                               <name> {1}
                               <class> {1}
                               <uniquename> {0 or 1}
                               <guid> {0 or 1}
                <role-categories>
                   <role-category>
                      <name>
                      <description>
                      <display-name>
                      

Example

See Section 20.3.3.1, "Using the Method checkPermission" for an example.


<role-category>

This element specifies a category, that is, a flat set of application roles.

Parent Element

<role-categories>

Child Elements

<name>, <display-name>, <description>, <members>

Occurrence

Optional, zero or one

<application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                                  <app-role> {1 or more}
                      <name> {1}
                      <class> {1}
                       <display-name> {0 or 1}
                       <description> {0 or 1}
                       <guid> {0 or 1}
                       <uniquename> {0 or 1}
                       <extended-attributes> {0 or 1}
                          <attribute> {1 or more}
                              <name> {1}
                              <values> {1}
                                  <value>  {1 or more}
                       <members> {0 or 1}
                           <member> {1 or more}
                               <name> {1}
                               <class> {1}
                               <uniquename> {0 or 1}
                               <guid> {0 or 1}
                <role-categories>
                   <role-category>
                      <name>
                      <description>
                      <display-name>
                      <members>
                       

Example

See Section 20.3.3.1, "Using the Method checkPermission" for an example.


<role-name-ref>

This element specifies an application role within a role category.

Parent Element

<members>

Child Elements

None

Occurrence

Optional, zero or one

<application> {1 or more}
                <name> {1}
                <description> {0 or 1}
                <app-roles> {0 or 1}
                                  <app-role> {1 or more}
                      <name> {1}
                      <class> {1}
                       <display-name> {0 or 1}
                       <description> {0 or 1}
                       <guid> {0 or 1}
                       <uniquename> {0 or 1}
                       <extended-attributes> {0 or 1}
                          <attribute> {1 or more}
                              <name> {1}
                              <values> {1}
                                  <value>  {1 or more}
                       <members> {0 or 1}
                           <member> {1 or more}
                               <name> {1}
                               <class> {1}
                               <uniquename> {0 or 1}
                               <guid> {0 or 1}
                <role-categories>
                   <role-category>
                      <name>
                      <description>
                      <members>
                         <role-name-ref>

<roles>

This element specifies a set of enterprise security roles that belong to a security realm.

Parent Element

<realm>

Child Elements

<role>

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}

Example

See <jazn-realm> for an example.


<type>

This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:

<type>user</type>

Or:

<type>role</type>

Parent Element

<member> or <owner>

Child Elements

None

Occurrence

Required, one only

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
        ...
        <roles>  {0 or 1}
            <role>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <members>  {0 or 1}
                    <member>  {0 or more}
                        <type>  {1}
                        <name>  {1}
                <owners>  {0 or 1}
                    <owner>  {0 or more}
                        <type>  {1}
                        <name>  {1}

Example

See <jazn-realm> for examples.


<type-name-ref>

This element specifies the resource type of a resource.

Parent Element

<member-resource>, <resource>

Child Elements

None

Occurrence

One only. Required within <resource> or <member-resource>.

<resources> (0 or more)
    <resource> (1 or more)
       <name> (1)
       <display-name> (1)
       <description> {0 or 1}
       <type-name-ref> (1)

Example

For an example, see <resource>.


<uniquename>

This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It is typically used with an LDAP provider to uniquely identity the item (an application role member, for example). A unique name is sometimes generated and used internally by Oracle Platform Security.

The unique name for an application role would be: "appid=application_name, name=actual_rolename". For example:

<principal>
   <class>
      oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal
   </class>
   <uniquename>
      APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR"
   </uniquename>
</principal>

Parent Element

<app-role>, <member>, or <principal>

Child Elements

None

Occurrence

Optional, zero or one

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                    ...
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}
<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

<url>

This element specifies the URL of the code that is granted permissions.

Note the following points:

Parent Element

<codesource>

Child Elements

None

Occurrence

Required within parent element, one only

<jazn-policy> {0 or 1}
   <grant> {0 or more}
      <description> {0 or 1}
      <grantee> {0 or 1}
          <principals> {0 or 1}
             <principal> {0 or more}
                <name> {1}
                <class> {1}
                <uniquename> {0 or 1}
                <guid> {0 or 1}
          <codesource> {0 or 1}
             <url> {1}
      <permissions> {0 or 1}
          <permission> {1 or more}
             <class> {1}
             <name> {0 or 1}
             <actions> {0 or 1}

Example

The following example illustrates the use of the system variables oracle.deployed.app.dir and oracle.deployed.app.ext to specify URLs independent of the server platform.

Suppose an application grant requires a codesource URL that differs with the server platform:

On WebLogic
<grant>
  <grantee>
    <codesource>
      <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/myApp/-</url>
    </codesource>
  </grantee>
  <permissions> ... </permissions>
</grant>  
 
On WebSphere
<grant>
  <grantee>
    <codesource>
      <url>file:${user.install.root}/installedApps/${was.cell.name}/myApp/-</url>
    </codesource>
  </grantee>
  <permissions> ... </permissions>
</grant>

Then, using the following system variable settings:

On WebLogic
-Doracle.deployed.app.dir=${DOMAIN_HOME}/servers/${SERVER_NAME}/tmp/_WL_user
-Doracle.deployed.app.ext=/-

On WebSphere
-Doracle.deployed.app.dir=${USER_INSTALL_ROOT}/installedApps/${CELL}
-Doracle.deployed.app.ext=.ear/-

the following specification would work for both platforms, WebLogic and WebSphere:

<grant>
  <grantee>
    <codesource>
      <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url>
    </codesource>
  </grantee>
  <permissions> ... </permissions>
</grant>

<user>

This element specifies a user within a realm.

Attributes

Name Description

deactivated

Specifies whether the user is valid or not.

Set this attribute to true if you want to maintain a user in the configuration file but not have it be a currently valid user. This is the initial configuration of the anonymous user in the jazn.com realm, for example.

Values: true or false

Default: false


Parent Element

<users>

Child Elements

<name>, <display-name>, <description>, <guid>, <credentials>

Occurrence

Optional, zero or more

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
        ...

Example

See <jazn-realm> for examples.


<users>

This element specifies the set of users belonging to a realm.

Parent Element

<realm>

Child Elements

<user>

Occurrence

Optional, zero or one

<jazn-realm>  {0 or 1}
    <realm>  {0 or more}
        <name>  {1}
        <users>  {0 or 1}
            <user>  {0 or more}
                <name>  {1}
                <display-name>  {0 or 1}
                <description>  {0 or 1}
                <guid>  {0 or 1}
                <credentials>  {0 or 1}
        <roles>  {0 or 1}
        ...

Example

See <jazn-realm> for an example.


<value>

This element specifies a value for an attribute. You can specify additional attributes for application-level roles using the <extended-attributes> element.

Parent Element

<attribute>

Child Elements

None

Occurrence

Required within the parent element, one only

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Example

<app-roles>
   <app-role>
      <name>Knight</name>
      <display-name>Fellowship of the Ring</display-name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <extended-attributes>
         <attribute>
         <name>SCOPE</name>
         <values>
            <value>Part-I</value>
         </values>
         </attribute>
      </extended-attributes>
   </app-role>

<values>

This element specifies a set of values, each of which specify the value of an attribute. An attribute can have more than one value.

Parent Element

<attribute>

Child Elements

<value>

Occurrence

Required within the parent element, one only

<policy-store> {0 or 1}
    <applications> {0 or 1}
        <application> {1 or more}
            <name> {1}
            <description> {0 or 1}
            <app-roles> {0 or 1}
                <app-role> {1 or more}
                    <name> {1}
                    <class> {1}
                    <display-name> {0 or 1}
                    <description> {0 or 1}
                    <guid> {0 or 1}
                    <uniquename> {0 or 1}
                    <extended-attributes> {0 or 1}
                        <attribute> {1 or more}
                            <name> {1}
                            <values> {1}
                                <value>  {1 or more}
                    <members> {0 or 1}
                        <member> {1 or more}
                            <name> {1}
                            <class> {1}
                            <uniquename> {0 or 1}
                            <guid> {0 or 1}

Example

<app-roles>
   <app-role>
      <name>Knight</name>
      <display-name>Fellowship of the Ring</display-name>
      <class>oracle.security.jps.service.policystore.ApplicationRole</class>
      <extended-attributes>
         <attribute>
         <name>SCOPE</name>
         <values>
            <value>Part-I</value>
         </values>
         </attribute>
      </extended-attributes>
   </app-role>