You use the Security Configuration module to create and modify security data that is used in AquaLogic Service Bus inbound security and administrative security.
Inbound transport-level security and message-level security use the user, group, and role data to authenticate inbound client requests. It applies access control policies to determine which authenticated users are authorized to use proxy services and business services.
Administrative security uses the user, group, and role data to determine which authenticated users are authorized to create or modify AquaLogic Service Bus configuration data or to monitor AquaLogic Service Bus performance.
Note:
You cannot export users, groups, roles, or access control policies when you export a configuration because these objects are located in security provider stores. You must create these objects again when you import the exported configuration or use WebLogic Server tools (if available) to export and import them.
The following table lists the pages that you can access from the Security Configuration module. The tasks and help topics associated with each are provided:
Users
Users are entities that can be authenticated. A user can be a person or a software entity, such as a Web services client. You must give each user a unique identity (name) within a security realm.
Typically, the users that you create fall into two categories:
Client users who can access your proxy services or business services.
If you create a large number of client users, consider organizing them into security groups.
Administrative users who can use the AquaLogic Service Bus Console to create or modify proxy services, business services, and other AquaLogic Service Bus resources.
AquaLogic Service Bus uses role-based security for its administrative functions. Instead of giving access privileges directly to users, AquaLogic Service Bus gives administrative privileges only to security roles. To give administrative privileges to a user, you place the user in one of the default security groups, which is in one of the pre-defined security roles.
Groups
To facilitate administering a large number of users, you can organize users into named groups. Then, instead of giving access privileges or role identities to individual users, you give privileges or identities to groups.
Administrative Security Groups
AquaLogic Service Bus provides default security groups to facilitate giving users access to administrative functions such as creating proxy services. Each group is in one of the pre-defined AquaLogic Service Bus security roles that have been granted administrative privileges.
A security role is an identity that can be granted to a user or group based on conditions in the runtime environment. When you create access control policies, you can grant access to a role, group, or user.
For example, you can create two of your groups, MyCustomersEast and MyCustomersWest. You create a security role named PrivilegedCustomer and create conditions so that the MyCustomersWest group is in the role from 8am to 8pm EST, while the MyCustomersEast group is in the role from 8pm to 8am EST. Then you create an access control policy for a proxy service that gives the PrivilegedCustomer role access to the service. Different users will have access at different times depending on whether they are in the MyCustomersEast and MyCustomersWest group.
Administrative Security Roles
AquaLogic Service Bus provides four, pre-defined security roles (plus four pre-defined roles from WebLogic Server) that give administrative privileges. You cannot change the access privileges for the AquaLogic Service Bus administrative security roles, but you can change the conditions under which a user or group is in one of the roles.
For more information about these roles and the privileges available for each role, see Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
Access Control Policies
An access control policy specifies conditions under which users, groups, or roles can access a proxy service. For example, you can create a policy that always allows users in the GoldCustomer role to access a proxy service and that allows users in the SilverCustomer role to access the proxy service only after 12pm on weeknights.
For all proxy services, you can create a transport-level policy, which applies a security check when a client attempts to establish a connection with the proxy service. Only requests from users who are listed in the transport-level policy are allowed to proceed.
A message-level access control policy applies a security check when a client attempts to invoke a proxy service with message-level security. You can create a message-level access control policy in the following cases:
For proxy services that are active Web service security intermediaries
For proxy services that have message level custom authentication
Only users who are listed in the message-level policy are allowed to invoke the operation.
Security Configuration Data and Sessions
Users, groups, roles, and access control policies are persisted in security providers, which are not governed by AquaLogic Service Bus sessions. Therefore, you can create or modify this data when you are in or out of a session. Any additions or modifications to this data take effect immediately and are available to all sessions. If you discard a session in which you added or modified the data, the security data is not discarded.
Adding a User
The Create New User- General Configuration page allows you to add a new user. To learn more about users, groups, and roles, see Overview of Security Configuration.
To Add a User
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Security Configuration. The Summary of Users page is displayed.
Click Add New. The Create a New User - General Configuration page is displayed.
In the User Name field, enter a unique name. This is a required field.
In the Password field, enter a password. The password must be at least 8 characters long. This is a required field.
In the Confirm Password field, enter the same password you entered for the Password field. This is a required field.
In the Authentication Provider field, select the authentication provider for this user.
If multiple authentication providers are configured in the security realm, they will appear in the list. Select which authentication provider’s database should store information for the new user. See Supported Standards and Security Providers in AquaLogic Service Bus Security Guide.
(Optional) In the Group Membership field, select a group for this user:
Select a group from the Available Groups field.
Click the arrow to move the group into the Current Groups field.
To learn about the default groups and the access privileges they have, see Groups.
Do one of the following:
To create the user, click Save.
AquaLogic Service Bus Console saves the user and the user becomes available immediately to all sessions. If you are in a session when you add the user and then you discard the session, AquaLogic Service Bus Console does not delete the new user.
The Summary of Users page displays the new user.
To disregard changes and return to the Summary of Users page, click Cancel.
The Summary of Users page allows you to view a list of users that have been created in the AquaLogic Service Bus Console. To learn more about users, groups, and roles, see Overview of Security Configuration.
To List and Locate Users
From the left navigation pane, select Users from under Security Configuration. The Summary of Users page is displayed, which displays the following information for each user. For a more detailed description of the properties, see Viewing and Changing User Details.
Property
Description
User Name
The name assigned to the user. The name is a link to the View User Details page. To learn more, see Viewing and Changing User Details.
Group Membership
The name of the group to which this user belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
Authentication Provider
The authentication provider for this user.
Options
Click the Delete icon to delete a specific user. To learn more, see Deleting a User.
To locate a specific user, do one of the following:
Filter by user name. Click Search, enter the search target, then click Search again. You can use the asterisk (*) wildcard character. (Other wildcard characters are not supported.) The users matching the search criteria are displayed.
Resort the list. Click on an underlined column name. Ascending and descending arrows indicate the sort order. Click the column name to change the sort order.
Scroll through the pages. Use the page controls above or below the table. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
The Summary of Users page also enables you to do the following:
To create a new user, click Add New. To learn more, see Adding a User.
The View User Details page allows you to view and change details of a specific user. To learn more about users, groups, and roles, see Overview of Security Configuration.
To View and Change User Details
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
Click the user name. The View User Details page displays the following information.
Property
Description
User Name
The name of this user
Authentication Provider
The authentication provider that contains this user definition.
Group Membership
The name of the group to which this user belongs.
To edit the user details, click Reconfigure. The Edit User Details page is displayed.
Note:
You can edit user details while you are inside or outside a session.
Make the appropriate changes to the New Password, Confirm Password, and Group Membership fields. See Adding a User for a description of the fields.
Note:
You cannot change the User Name field.
Do one of the following:
To update the user, click Save Changes. The Summary of Users page is displayed.
AquaLogic Service Bus Console updates the user details and the update becomes available immediately to all sessions. If you are in a session when you update the user and then you discard the session, AquaLogic Service Bus Console does not delete the updates.
To disregard changes and return to the Summary of Users page, click Cancel.
The Summary of Users page allows you to delete a selected user or multiple users. To learn more about users, groups, and roles, see Overview of Security Configuration.
To Delete a User
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Security Configuration. The Summary of Users page is displayed.
Select the user you want to delete. You can select multiple users if necessary.
Click Delete. A message prompting you to confirm that you want to delete the user is displayed.
Do one of the following:
To delete the user, click OK.
AquaLogic Service Bus Console deletes the user. If you are in a session when you delete the user and then you discard the session, AquaLogic Service Bus Console does not delete the updates.
To disregard changes and return to the Summary of Users page, click Cancel.
Note:
Alternatively, you can click the Delete icon in the Options column of the user you want to delete.
The Create New Group page allows you to add a new group. To learn more about users, groups, and roles, see Overview of Security Configuration.
To Add a Group
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed.
In the Group Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.
In the Authentication Provider field, select the authentication provider.
(Optional) In the Group Membership field, select a group to which this group belongs:
Select a group from the Available Groups field.
Click the arrow to move the group into the Current Groups field.
To learn about the default groups and the access privileges they have, see Groups.
Do one of the following:
To create the group, click Save.
AquaLogic Service Bus Console saves the group and the group becomes available immediately to all sessions. If you are in a session when you add the group and then you discard the session, AquaLogic Service Bus Console does not delete the new group.
The Summary of Groups page displays the new group.
To disregard changes and return to the Summary of Groups page, click Cancel.
The Summary of Groups page allows you to view a list of groups. To learn more about users, groups, and roles, see Overview of Security Configuration.
To List and Locate Groups
From the left navigation pane, select Groups from under Security Configuration. The Summary of Groups page is displayed, which displays the following information for each group. For a more detailed description of the properties, see Viewing and Changing Group Details.
The group to which this group belongs. The name is a link to the View Group Details page. To learn more, see Viewing and Changing Group Details.
Authentication Provider
The authentication provider that contains this group definition.
Delete
Click the Delete icon to delete a specific group. To learn more, see Deleting a Group.
To locate a specific group, do one of the following:
Filter by group name. Click Search, enter the search target, then click Search again. You can use the asterisk (*) wildcard character. (Other wildcard characters are not supported.) The groups matching the search criteria are displayed.
Resort the list. Click on an underlined column name. Ascending and descending arrows indicate the sort order. Click the column name to change the sort order.
Scroll through the pages. Use the page controls above or below the table. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
The Summary of Groups page also enables you to do the following:
To create a new group, click Add New. See Adding a Group.
The View Group Details page allows you to view and change details of a specific group. To learn more about users, groups, and roles, see Overview of Security Configuration.
To View and Change Group Details
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
Make the appropriate changes to the Group Membership field. See Adding a Group for a description of the field.
Note:
You cannot change the Group Name field.
Do one of the following:
To update the group, click Save Changes. The Summary of Groups page is displayed.
AquaLogic Service Bus Console updates the group details and the update becomes available immediately to all sessions. If you are in a session when you update the group and then you discard the session, AquaLogic Service Bus Console does not delete the updates.
To disregard changes and return to the Summary of Groups page, click Cancel.
The Summary of Groups page allows you to delete a selected group or multiple groups. To learn more about users, groups, and roles, see Overview of Security Configuration.
To Delete a Group
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Security Configuration. The Summary of Groups page is displayed.
Select the group you want to delete. You can select multiple groups if necessary.
Click Delete. A message prompting you to confirm that you want to delete the group is displayed.
Do one of the following:
To delete the group, click OK.
AquaLogic Service Bus Console deletes the group. If you are in a session when you delete the group and then you discard the session, AquaLogic Service Bus Console does not un-delete the group.
To disregard changes and return to the Summary of Groups page, click Cancel.
Note:
Alternatively, you can click the Delete icon in the Options column of the group you want to delete.
The Create New Role page allows you to add a new role. To learn more about users, groups, and roles, see Overview of Security Configuration.
To Add a New Role
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed.
In the Role Name field, enter a unique name. Note that you cannot enter spaces or special characters. This is a required field.
Note:
Be sure that there are no spaces or < > characters in the security role name. Security role names are case sensitive. The BEA convention is that all security role names are singular.
Do one of the following:
To create the role, click OK.
AquaLogic Service Bus Console saves the role and the role becomes available immediately to all sessions. If you are in a session when you add the role and then you discard the session, AquaLogic Service Bus Console does not delete the new role.
The Global Roles page displays the new role.
To disregard changes and return to the Global Roles page, click Cancel.
When you click OK to create the role, the next step is to define the conditions under which the role applies. On the Global Roles page, click the name of the new global role.
The Global Role Conditions page is displayed.
Under Role Conditions, click Add Condition.
The following prompt is displayed:
Choose the predicate you wish to use as your new condition
Choose a predicate from the list box. Typically, you choose Group. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
Click Next. The next steps depend on what you chose for your condition predicate. Do one of the following:
Condition Predicate...
Complete These Steps...
If you selected Group, enter one or more arguments that define the group or groups that should hold this role
In the Group Argument Name field, enter an argument that defines the group.
Click Add.
If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
Click Finish.
If you selected User, enter one or more arguments that define the user or users that should hold this role
In the User Argument Name field, enter an argument that defines the user.
Click Add.
If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
Click Finish.
If you selected Server is in development mode, Allow access to everyone or Deny access to everyone
Click Finish.
If you selected a time-constrained predicate such as Access occurs between specified hours, select start and end times and a GMT offset
In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Click Finish.
If you selected Context element defined, enter a context element name
In the Context element name field, enter the name of the context element.
Click Finish.
If you selected Context element’s value equals a numeric constant, Context element’s value is greater than a numeric constant, or Context element’s value is less than a numeric constant, enter a context element name and a numeric value to compare it against
In the Context element name field, enter the name of the context element the value of which is to be evaluated.
In the Numeric Value field, enter a numeric value.
Click Finish.
If you selected Context element’s value equals a string value, enter a context element name and a string value to compare it against
In the Context element name field, enter the name of the context element the value of which is to be evaluated.
In the String Value field, enter the string value that you want to compare.
Click Finish.
If you selected a time-constrained predicate such as Access occurs before or Access occurs after
In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
Click Finish.
If you selected the time-constrained predicate Access occurs on specified days of the week, select the day of the week and a GMT offset
In the Day of week field, enter the day of the week.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Click Finish.
If you selected a time-constrained predicate such as Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
In the Day of the Month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Click Finish.
If necessary, repeat steps 5-7 to add expressions based on different role conditions. You can do the following in the Role Conditions section to modify the expressions:
To...
Complete These Steps...
Change the ordering of the selected expression
Click Move Up and Move Down.
Merge or unmerge role conditions and switch the highlighted and or statements between expressions.
Click Combine and Uncombine.
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
Click Negate.
Delete a selected expression
Click Remove.
When all the expressions in the Role Conditions section are correct, click Save. To activate these changes, in the Change Center, click Activate.
The Global Roles page allows you to view a list of roles. To learn more about users, groups, and roles, see Overview of Security Configuration.
To List and Locate Roles
From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed, which displays the following information for each role. For a more detailed description of the properties, see Viewing and Changing Role Details:
To locate a specific role, scroll through the pages. Use the controls in the lower right corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next, previous, first, or last page.
This page also enables you to do the following:
To create a new role, click Add New. To learn more, see Adding a Role.
To delete a selected role, click Delete. To learn more, see Deleting a Role.
The View Role Details page allows you to view and change details of a specific role. To learn more about users, groups, and roles, see Overview of Security Configuration.
To View and Change Role Details
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
Merge or unmerge role conditions and switch the highlighted and or statements between expressions.
Click Combine and Uncombine.
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
Click Negate.
Delete a selected expression
Click Remove.
Click Save. The Global Roles page is displayed.
AquaLogic Service Bus Console updates the role and the update becomes available immediately to all sessions. If you are in a session when you update the role and then you discard the session, AquaLogic Service Bus Console does not delete the updates.
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
From the left navigation pane, select Roles from under Security Configuration. The Global Roles page is displayed.
Select the role you want to delete. You can select multiple roles if necessary.
Click Delete. A message prompting you to confirm that you want to delete the role is displayed.
Do one of the following:
To delete the role, click OK.
AquaLogic Service Bus Console deletes the role. If you are in a session when you delete the role and then you discard the session, AquaLogic Service Bus Console does not un-delete the role.
To disregard changes and return to the Global Roles page, click Cancel.
The Access Control for Proxy Services page provides a link to the access control policies for proxy services in the current AquaLogic Service Bus domain.
Note:
This page lists does not list proxy services that you have created in session but have not not yet activated. If you want to edit access control policies for a new proxy service, first activate the session in which you created the proxy service.
To List and Locate Access Control Policies
If you want to locate the access control policies for a new proxy service, activate the session in which you created the proxy service.
From the left navigation pane, select Access Controls from under Security Configuration. The Access Control for Proxy Services page displays the following information for each proxy service:
Click the View Policies link to view or modify the policy. Applies only to proxy services that have message-level custom authentication, or that satisfy all of the following criteria:
Is a Web service
Its WSDL document includes a WS-Policy statement to secure at least one of its Web service operations
Is a WS-Security active intermediary (that is, when you used AquaLogic Service Bus Console to create the proxy service, you selected the Process WS-Security Header check box)
The Policy Details page allows you to edit the transport-level access control policy of a proxy service. You access this page when you click View Policies in the Transport Authorization Policy column of a specific proxy service on the Access Control for Proxy Services page. The page displays the following information:
Property
Description
Proxy Service Name
Displays the name of the proxy service name for which you selected View Policies on the Access Control for Proxy Services page.
Providers
Displays the authorization providers that are configured for the security realm.
Policy Conditions
Displays the conditions that determine for which users the proxy service will process requests.
To Edit a Transport-Level Access Control Policy
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
In the policy editor’s Authorization Provider field, select an authorization provider. BEA recommends that you select the XACMLAuthorizer.
Note:
As of release 2.5, AquaLogic Service Bus deprecates support for the WebLogic Default Authorization provider. Instead, BEA recommends that you use the WebLogic XACML Authorization provider. See Supported Standards and Security Providers in AquaLogic Service Bus Security Guide.
The Policy Details page allows you to edit the message-level access control policy of a proxy service that is a Web service and is configured to require message-level security. You access this page when you click View Policies in the Service Authorization Policy column of a specific proxy service on the Access Control for Proxy Services page. The page displays the following information:
Property
Description
Proxy Service Name
Displays the name of the proxy service name for which you selected View Policies on the Access Control for Proxy Services page.
Providers
Displays the authorization providers that are configured for the realm.
Service Operations
Lists the operations in the proxy service that can be secured.
Policy Conditions
Displays the conditions that determine which users can invoke the operations that are selected under Service Operations.
To Edit a Message-Level Access Control Policy
Log in to the AquaLogic Service Bus Console as a user with WebLogic Server Admin privileges.
Only users in the Admin role can modify security configuration data. See Configuring Administrative Security in the AquaLogic Service Bus Security Guide.
In the policy editor’s Authorization Provider field, select an authorization provider. BEA recommends that you select the XACMLAuthorizer.
Note:
As of release 2.5, AquaLogic Service Bus deprecates support for the WebLogic Default Authorization provider. Instead, BEA recommends that you use the WebLogic XACML Authorization provider. See Supported Standards and Security Providers in AquaLogic Service Bus Security Guide.
Under Service Operations, select the proxy service (Web service) operation that you want to secure.
You can define access control policies for all operations, or for each operation in the service if message-level security is used.
Select ALL to secure all operations. If you select only a single operation, then all other operations in the list can be invoked by any user.
(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
In the Role Argument Name field, enter the role to which you want to grant access.
If you have not already created the role that you entered in this field, you can do so after you finish creating access control policies. See Adding a Role. If you do not create this role, then no one will be granted access.
Click Add.
If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Group
(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
In the Group Argument Name field, enter the group to which you want to grant access.
If you have not already created the group that you entered in this field, you can do so after you finish creating access control policies. See Adding a Group. If you do not create this group, then no one will be granted access.
Click Add.
If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
User
(For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
In the User Argument Name field, enter the user to which you want to grant access.
If you have not already created the user that you entered in this field, you can do so after you finish creating access control policies. See Adding a User. If you do not create this user, then no one will be granted access.
Click Add.
If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Access occurs on specified days of the week
In the Day of week field, enter the day of the week.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Access occurs between specified hours
In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Access occurs before or Access occurs after
In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
In the The day of the month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Context element’s value equals a string constant
(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
In the Context element name field, enter the name of the context element the value of which is to be evaluated.
Description: The Internet Protocol (IP) address of the client that sent the request
Property name: <PREFIX>.<protocol>.client-host
Description: The fully qualified name of the client that sent the request
Property name: <PREFIX>.<protocol>.query-string
Description: The query string that is contained in the request URL after the path
Property name: <PREFIX>.<protocol>.relative-URI
Description: The relative URI of the request
In the String Value field, enter the string value that you want to compare.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Context element’s value is greater than a numeric constant, Context element’s value equals a numeric constant, or Context element’s value is less than a numeric constant
(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
In the Context element name field, enter the name of the context element the value of which is to be evaluated.
In the Numeric Value field, enter a numeric value.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Context element defined
(Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
In the Context element name field, enter the name of the context element.
Do one of the following:
To save the arguments and return to the predicate list, click Finish.
To discard the changes and return to the predicate list, click Back.
To discard the changes and return to the View Policy Details page, click Cancel.
Deny access to everyone, Allow access to everyone or Server is in development mode
Click Finish.
Alternatively, you can click Cancel to discard the changes and return to the View Policy Details page.
If necessary, repeat steps 3-5 to add expressions based on different policy conditions. You can do the following in the Policy Conditions section to modify the expressions:
To...
Complete These Steps...
Change the ordering of the selected expression
Select the check box associated with the condition, then click Move Up and Move Down.
Merge or unmerge policy conditions and switch the highlighted and or statements between expressions.
Select the check box associated with the appropriate conditions, then click Combine and Uncombine.
Make a condition negative; for example, NOT Group Operators excludes the Operators group from the policy.
Select the check box associated with the condition, then click Negate.
Delete a selected expression
Select the check box associated with the condition, then click Remove.