6 Policies and Rules

This chapter describes how to use policies and rules to control access to Oracle WebCenter Ensemble resources. It is divided into the following sections:

• About Policies and Rules, provides an overview of how policies and rules control access to an Oracle WebCenter Ensemble resource.

• Policies, describes policies in depth, including how to create policies and configure policy sets.

• Rules, describes rules in depth, including what kinds of rules can be created and how to create them.

About Policies and Rules

Each non-login resource has an associated policy set. A policy set is a collection of policies that control access to a resource. Each policy grants access to a resource based on two criteria:

• Users and Groups. A user must be among the users or groups configured in the policy.

• Rules. A set of rules, one or all of which must evaluate to true for the user to have access.

For details on creating and configuring policies, see Policies.

Rules describe a set of criteria that must be met. If the criteria are met, the rule evaluates to true. For example, a rule could restrict access to business hours or evaluate to true when the user's client is a specific browser. For details on creating and configuring rules, see Rules.

In addition to controlling access to a resource, policies associate a role with the user. Role information is sent to the proxied application, allowing the application to determine the correct access level for the user. Since more than one policy can be granted for a given user on a given resource, more than one role can be associated with a user. Roles are created with the resource configuration. For details on configuring roles, see Roles.

Policies

When you create a resource, Oracle WebCenter Ensemble creates a default policy for that resource. Policy sets map to resources 1:1. The name of the policy set is the same as the name of the resource and cannot be changed.

When Oracle WebCenter Ensemble creates the policy, it creates a default policy for that policy. The default policy grants the Administrator user access to the resource. You can edit or delete this policy, and you can add new policies.

Creating a New Policy

To create a new policy:

1. Launch the Ensemble Console.

2. Click the POLICIES tab.

3. Click the Policy Sets sub-tab.

4. Click the name of the policy set associated with the resource you are configuring.

5. On the Policies page, click Add policy.

Configuring a Policy

A policy consists of four properties:

• A name.

• The resource role the policy maps to. Roles are configured in the resource configuration. For details, see Roles.

• One or more rules that describe the conditions for access.

• Zero or more users or groups that are allowed access by this policy.

At minimum, a policy must have a name, a mapped resource role, and an associated rule.

To configure a policy:

1. Launch the Ensemble Console.

2. Click the POLICIES tab.

3. Click the Policy Sets sub-tab.

4. Click the name of the policy set associated with the resource you are configuring.

5. On the Policies page, expand the policy you want to configure by clicking the expand icon.

6. Type a Name for the policy.

7. Associate a role with the policy. In the Maps to Resource Role drop-down list, select a role.

8. Associate one or more rules with the policy:

   1. Click Add Rule.

   2. Select the rule or rules you want to add.

   3. Click Add selected items.

   4. Click OK.

   5. Select ANY or ALL. When ANY is selected, and one or more rule evaluates to true, the policy will evaluate to true (provided any users and groups restrictions are satisfied). When ALL is selected, all rules must evaluate to true.

9. Restrict the policy to specific users or groups (optional).

   1. Click Add User or Group.

   2. Select the users or groups you want to add.

   3. Click Add selected items.

   4. Click OK.

To delete users, groups, or rules, highlight the item to be deleted and click Delete.

Authentication Levels

Authentication levels determine the minimum credential level required to access a resource. Oracle WebCenter Ensemble checks the authentication level of a policy set before it evaluates any policies. If the user is not logged in, or is logged in with credentials lower than the set authentication level, he is challenged with the authentication method.

For details on authentication, see Chapter 4, "Proxy Authentication."

Configuring Anonymous Access

Anonymous access allows user to access a resource without providing credentials. This is useful for resources such as login resources, where the user is not expected to be authenticated prior to accessing the resource.

To configure anonymous access:

1. Launch the Ensemble Console.

2. Click the POLICIES tab.

3. Click the Policy Sets sub-tab.

4. Click the name of the policy set associated with the resource you want to configure for anonymous access.

5. Set the authentication level to Anonymous. In the Minimum Credential Level drop-down, select 0 (Anonymous).

6. When prompted, create an anonymous policy. Select a resource role from the drop-down and click Create anonymous policy.

7. Click Save.

A new policy, Anonymous policy, is created. This policy always evaluates to true for any user.

Granting Access to Users Who Are Currently Logged in to Oracle WebCenter Interaction

To allow a user who has already logged into the Oracle WebCenter Interaction portal to be granted access to the resource without authenticating with Oracle WebCenter Ensemble, perform the following:

1. Launch the Ensemble Console.

2. Click the POLICIES tab.

3. Click the Policy Sets sub-tab.

4. Click the name of the policy set associated with the resource you want to configure.

5. Check the box next to Allow Portal Login Token.

6. Click Save.

Rules

Rules are defined by one or more rule types. A rule type is a single condition that evaluates to true or false. The rule is configured so that either any or all of the rule types must evaluate to true for the rule to evaluate to true. The following table describes the available rule types:

Table 6-1 Rule Types

Rule Type	Description
Client IP	Evaluates to true if this value matches the user's IP. You can configure the Client IP rule to match a range of IP addresses by using regular expressions.
Date	You can set the Date rule to be equal to, greater than, less than, greater than or equal to, or less than or equal to a given date. You can combine two Date rule types to provide access over a range of dates.
User	Evaluates to true if this value is the current user.
Secure connection	Evaluates to true of the connection is secure (HTTPS).
Time	You can set the Time rule to be equal to, greater than, less than, greater than or equal to, or less than or equal to a given time. You can combine two Time rule types to provide access over a period of time.
Browser	Evaluates to true if this value matches the user's browser type.
Group membership	Evaluates to true if this value is a group of which the user is a member.
Non-secure connection	Evaluates to true of the connection is not secure (HTTP).
Day of Week	Evaluates to true if this value is equal to the current day of the week.
Locale	Evaluates to true if this value matches the user's locale.
User property	Evaluates to true if this value matches the user's property value.
Always true	Always evaluates to true.
Always false	Always evaluates to false.

Creating and Editing Rules

You create rules in the rule library. To create a new rule:

1. Launch the Ensemble Console.

2. Click the POLICIES tab.

3. Click the Rule Library sub-tab.

4. To create a new rule, click Create new.

5. On the General page, in the Name box, type the name of the rule.

6. Type a Description of the rule.

7. On the Definition page, click Add.

8. Either select the rule type to create or click on an existing rule.

   Existing rules can be added as rule types. This allows compound rules to be formed. For example, a rule might evaluate to true if any of three users is accessing the resource from a secure connection. A rule type is created that evaluates to true for any of the three uses. That rule type is added to a rule type where it and the Secure connection rule type must evaluate to true.

9. Add the rule type by clicking OK.

10. Click Add to add another rule type or finish creating the rule by clicking Save.

Published Rules

You can configure a rule to be published or not published. You are able to add a published rule to a policy. You are able use an unpublished rule only as a rule type for other rules.

To publish a rule, from the rule's General page, select Is published. To unpublish the rule, clear the check box next to Is published.

Note: If the rule is currently being used in a policy, it cannot be unpublished.