|Oracle® Fusion Middleware Oracle Authorization Policy Manager Administrator's Guide (Oracle Fusion Applications Edition)
11g Release 6 (11.1.6)
Part Number E20839-04
|PDF · Mobi · ePub|
The information in this chapter is specific to Oracle Fusion Applications only.
This chapter describes how to use Oracle Authorization Policy Manager to upgrade application policies in an LDAP-based domain policy store with the changes introduced by a new release of the application. Details are in the following sections:
First we introduce some terms used throughout this chapter, and then an overview of the process of upgrading the policy store.
The following terms refer to the three policy stores involved in an application policy upgrading. They are also used in the Authorization Policy Manager user-interface.
Baseline - The original policy store, represented by the XML file
jazn-data.xml and available with the application out-of-the-box. Presumably, this policy store was migrated to the domain policy store when the application was first deployed.
Production - The domain policy store, where the current state of application policies reside. This store is assumed LDAP-based. Presumably, policies in the application stripe in this store has undergone modifications since the application was first deployed.
Application policy upgrading allows security administrators to solve the following problem, with which they are faced every time a new version of an application is released.
Out-of-the-box, an application typically includes the file
jazn-data.xml (baseline policy store) that describes the application policies for that particular version of the application. Typically, at application deployment the baseline policy store is migrated to the domain policy store (production policy store) for the first time.
Thereafter, application policies in the production store may undergo modifications to accommodate evolving requirements; these changes include adding, deleting, or modifying any application-specific security artifact such as roles, grants, resource types, resources, and entitlements.
When a new version of the application is available and before that new version is deployed, a security administrator needs to:
Identify the customizations that have been introduced since the migration of the old application version, that is, the delta between the baseline and the production stores.
Identify the differences between the customized application policies and the policies in the new application version, that is, the delta between the production and patch stores.
Decide, for each difference, which artifact to use.
Authorization Policy Manager facilitates the resolution of each of the above tasks by providing a security administrator with a user interface that allows him to:
Analyze a new patch, that is, generate all differences.
Inspect and decide, for each difference reported by the analysis, which specification to use.
Apply the patch.
Before patching application policies, make sure that you backup the policy store as explained in Prerequisites to Patching Policies.
The analysis must be performed first. The resolution of changes and conflicts is performed next. These tasks do not have any particular requirements and can be accomplished at different times during one Authorization Policy Manager session or even across different sessions.
Before applying a patch, however, proceed as follows:
Take off line any WebLogic domain that uses the policy store where the application policies to be patched reside.
Backup the policy store by using either of the following tools:
Oracle Internet Directory
ldifwrite to obtain an LDIF file for the policy store. For an example of use of this command, see Oracle Fusion Middleware Application Security Guide.
Oracle Platform Security Services
migrateSecurityStore to export the policy store into a replica of it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
Now you can apply the patch.
If for any reason the policy store needs to be restored, proceed as follows:
If you have saved the policy store in an LDIF file, use
bulkload to restore it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
If you have exported the policy store, use Oracle Platform Security Services
migrateSecurityStore to restore it. For details about this command, see Oracle Fusion Middleware Application Security Guide.
The Policy Upgrade Management tab, partially illustrated in Figure 7-1, contains the tab Home, where the upgrading process begins and which succinctly describes the steps you follow to upgrade application policies. The first step is to select the application whose policies to upgrade.
Figure 7-1 The Policy Upgrade Management Tab
To select application policies to patch, proceed as follows:
In the Home tab of the Policy Upgrade Management page, click the button Patch Application at the top left corner of the page to bring up the Patch Application dialog illustrated in Figure 7-2.
Figure 7-2 Patch Application Dialog
Select the application to patch from the pull-down Application list.
This list displays only applications that are currently deployed in the domain. After selecting the application, the dialog takes a different form according to whether or not the application selected has a patching in progress.
If the application has a patching in progress, you can continue with it or abort it.
If the application does not have a patching in progress, select the Baseline file (specifies the location of the baseline policy store) and the Patch file (specifies the location of the patch policy store) and click OK. The only Patch Method available in this release is a 3-way DIFF which considers differences between the baseline, the production, and the patch stores
The rest of this procedure assumes a new patching process. Authorization Policy Manager displays an indicator showing the progress of the analysis phase in the Patch Application dialog. Once this phase is completed, the Patch Application dialog displays the statistics of the analysis as illustrated in Figure 7-3.
Figure 7-3 Statistics of a Patch Analysis
Check the box Launch Patch Resolution (checked by default) and click OK to launch the patch resolution phase.
Authorization Policy Manager creates a new tab (named after the application display name) that contains the details of the results, that is, the conflicts and differences encountered, in two sub-tabs:
General - This tab displays the files you have specified at the start of the patching and a chart showing the number changes and conflicts found, per artifacts, between the baseline and the patch stores. For details about these terms, see Section 7.5.1, "Changes and Conflicts." Figure 7-4 illustrates the General tab.
Figure 7-4 The General Tab
To terminate the current patching process and to delete the analysis data gathered thus far, click the button Discard; once the patch is discarded, the tab for the application is deleted from the Patching tab.
The Patch Details tab, illustrated partially in Figure 7-5, contains two major areas: the left area displays a hierarchical overview of changes and conflicts per artifact that resulted from the comparisons; the right area displays the details of changes and conflicts for an artifact selected from the left area.
Figure 7-5 Patch Details Tab
To display the specifics of an object's differences in the right area, click Changes or Conflicts under the object. Each row in the table has a type icon that indicates whether the difference is a change (double arrow icon) or a conflict (exclamation mark icon). (For details, see Section 7.5.1, "Changes and Conflicts.")
To view a change or conflict for a specific artifact, select the corresponding icon. All changes or conflicts are displayed in a table at the top of the page. The Status column shows whether a change or a conflict has been resolved (green check icon) or not (gray square icon). The Related Issues column shows whether a change or conflict has implied dependencies; click the icon in this column to display the Patch Artifact Dependencies dialog and see, among other details, the reasons why other artifacts would be affected when resolving a difference for this artifact. Figure 7-6 partially illustrates this page.
Figure 7-6 Viewing Artifact Conflicts
To view conflict details for a specific item in the table, select the item to display the different specifications found in the 3-Way DIFF Details area. Figure 7-7 illustrates the differences for a role.
Figure 7-7 Displaying Difference Details
Figure 7-8 partially illustrates the dependencies implied by differences in a pair of roles. Specifically, it illustrates a baseline role App_Z that is not modified in the production store but modified in the patch store as follows:
The display name and the role description are changed.
The new role App_Znew is a child of the role App_Z.
Figure 7-8 Viewing Dependencies Implied by a Conflict or Change
A patch difference identifies a disparity between the specifications of a security artifact in the some of the policy stores involved in the analysis. Oracle Authorization Policy Manager lists patch differences as changes or conflicts. These terms and how to resolve them are explained in the following sections:
To better explain the terminology used, assume that Abase, Aprod, and Apatch denote the states of an artifact in the baseline, production, and patch stores, respectively.
A patch difference is called a change when Abase and Apatch are equal, and Aprod is different to Apatch.
A patch difference is called a conflict when Abase and Apatch are different, and Aprod is different from Apatch.
Resolving an artifact change or conflict means choosing which specification to use: the one in the production store or the one in the patch store.
Even though there is a default resolution for each artifact change or conflict, it is recommended that all changes and conflicts be resolved manually before you proceed forward to applying the patch.
To resolve a change or conflict for an artifact, proceed as follows:
Select the artifact in the Conflicts table, to display the specifications for the artifact found in each of the three stores at the bottom of the page.
Inspect specification differences and decide which one to use; to use the production store, click the button Use Production; to use the specification in the patch store, click the button Use Patch.
The decision that you make in this step may imply necessary changes to other artifacts. These changes, necessary to preserve data consistency, are called dependencies.
Oracle Authorization Policy Manager displays the dependencies that a decision implies and requests your confirmation before setting the value.
The decision value set for a change or conflict can be reset at any time. To any change or conflict left unresolved, Oracle Authorization Policy Manager sets one of the following default values:
For a change, Use Patch.
For a conflict, Use Production.
The procedure in this section assumes that:
All changes and conflicts reported in the Patch Checklist of the Patch Details tab have been resolved (manually or by default).
The prerequisites stated in Prerequisites to Patching Policies are met.
To apply a patch, proceed as follows:
Click the button Apply Patch in the application's patching tab to initiate the patching process, which will modify the application policy stripe in the domain LDAP store.
Once the application of the patch is completed, you are ready to deploy the new version of the application.
Make sure that when deploying it, the automatic migration of policies is turned off so that the just patched application policies are not modified when the application is deployed.
For details about how to manage the migration of policies when the application is deployed with Oracle Enterprise Manager Fusion Middleware Control, see Oracle Fusion Middleware Application Security Guide