Policy Managers Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Policy Simulation

This chapter describes Entitlements Administration Application’s policy simulation feature.

 

Overview

The Entitlements Administration Application contains a policy simulation feature that allows you to troubleshoot, test, and understand how policies are enforced on a given application.

To perform a simulation, you specify a resource, action, and user. The simulator responds by displaying the relevant policies and indicates if authorization is allowed or denied. If attribute values were evaluated as part of the policy decision, the simulator allows you to perform additional simulations using different values of your choosing.

 

Scope, Limitations, and Requirements

The policy simulator is subject to the following conditions:

 

Creating and Running a Simulator

Prior to running policy simulations, you must create and start a simulator for the SSM where the policies are being enforced. The simulator runs on the Administration Server.

Note: All existing simulators start when Administration Server is started — and stopped when server stops.
  1. In the BEA_HOME\ales32-admin\bin directory, execute the following command:

    2. createPolicySimulator.sh | bat <ssm_conf_id> <ws_port> <ARME_port>

    where

    <ssm_conf_id> — Configuration ID of the SSM being simulated
    <ws_Port> — Any unused port number for use by the simulator web service.
    <ARME_Port> — Any unused port number used to simulate ARME policy distribution

    E ample: ./createPolicySimulator.sh asiadmin 7015 7016

  2. To start the simulator, change directory to BEA_HOME\ales32-admin\simulators\<ssm_conf_id>\bin and enter:

    3. start.sh | bat

    Note: To stop the simulator, enter stop.sh | bat in the same directory.

Removing a Simulator

To remove a simulator:

  1. Stop the simulator by running stop.sh | bat in the BEA_HOME\ales32-admin\simulators\<ssm_conf_id>\bin directory.
  2. (Windows Only) To unregister the simulator, execute the following command in the BEA_HOME\ales32-admin\simulators\<ssm_config_id>\bin directory.

    3. WLESws.bat unregister

  3. Delete the BEA_HOME\ales32-admin\simulators\<ssm_conf_id> directory.

 

Policy Simulation Steps

Access the Entitlements Administration Application and do the following:

  1. In the left pane, select the application where the policies are defined.

    2. The application must be bound to the SSM corresponding to the SSM simulator running on the Administration Server.

  2. In the right pane, click the Policies tab and select Policy Simulation from the sub-menu.
  3. On the policy simulation page, click Select.
  4. On the Parameters Selection dialog, specify a user, resource, and action. Then click OK to return to the previous page. You can type these values in the fields provided or use the tabs to navigate to and select them.
  5. Do one of the following:
    • Leave the Only Get Roles checkbox cleared if you want the results to include all authorization and role policies involved in the policy decision.
    • Select the Only Get Roles checkbox to restrict the results to the roles involved in the policy decision. The results will indicate roles granted to the user.
  6. Click Get Results.

    7. The relevant policies are evaluated and the simulator displays Allow or Deny as the authorization result. It also provides the following details:

    Attributes
    Any attribute values that were evaluated as part of the policy decision.

    Groups
    The user's group current group assignments.

    Roles
    The roles that are currently assigned to the user by role policies.

    Role Policies
    The role policies relevant to the selected parameters, including any constraint conditions and results.

    Authorization Policies
    The authorization policies relevant to the selected parameters, including any constraint conditions and results.

 

Policy Simulation Log Files

The policy simulator log file is specified in the SSM simulator instance’s log4j.properties file. For example, if the SSM simulator instance name is my_ssm, the log4j.properties is located in the following directory:

BEA_HOME\ales32-admin\simulators\<ssm_name>\config

In addition, useful information may be logged in the corresponding Web Service SSM log files.

 

Sample Policy Simulation

This section provides a sample policy simulation in the Entitlements Administration Application and describes steps that you can follow to replicate the e ample should you want to do so. The simulated policy is a very basic one, but the inclusion of a constraint provides insight in the power of the simulation feature when more complex policies are involved.

The policy to be simulated is based on the following use case:

         An application that lets customers perform online purchases is secured by
         policies that allow purchases based on customer ‘status’. The specific policy
         to be simulated examines the value of the user’s CustomerStatus attribute and,
         if that value is Gold, it creates a response attribute that returns a spending
         limit of 1000.00 to the application context.

The simulation is based on the existence of the objects shown in Table 5-1.

Table 5-1 Policy Simulation Objects
Objects Type
 
Resources
A application with the following resource hierarchy:
webapp
  url
    inde .jsp
Application Role
Purchaser
User
John Roberts
Action
Purchase
Role Policy
A policy that grants the Purchaser role to John Rogers.
Authorization Policy
A policy that grants the Purchaser role the right to perform the Purchase action on index.jsp.
The policy grants access only if the user’s CustomerStatus attribute is Gold, and when this is true, the Limit response attribute is used to return a spending limit of 1000.00 to the application context.
In policy notation, this policy definition is:
Grant (purchase, //WepApp/url/index.jsp, //role/Purchaser)
    if CustomerStatus=”gold” AND report_as(Limit, “1000.00”)

To perform the policy simulation:

  1. In the left pane, select the application where the policies are defined.

    2. In an actual deployment, the application must be bound to the SSM corresponding to the SSM simulator running on the Administration Server.

  2. In the right pane, click the Policies tab and select Policy Simulation from the sub-menu.
  3. On the policy simulation page, click Select.
  4. On the Parameters Selection dialog, specify the following parameters and click OK.

    5. User — John Rogers
    Resource — //WepApp/url/inde .jsp
    Action — Purchase

  5. Click Get Results.

    6. The initial policy result is Deny because no CustomerStatus attribute is available.

    In the Attributes box, the simulator displays the CustomerStatus dynamic attribute and provides a field for you to simulate policy outcomes using values of your choosing.

  6. Select the CustomerStatus attribute’s Override checkbox. Then enter silver in the Value field and click Get Results.

    7. Based on the attribute value, the policy returns a deny decision.

  7. Re-run the simulation using a CustomerStatus of gold.

    8. The policy outcome is Allow. The Response Name and Value fields indicate that the Limit response attribute was created and used to return “1,000.00” to the application context.


  Back to Top       Previous  Next