Administration Application Guide

Administration Policy

This section provides information on the following topics:

Security Roles

The security role defines a set of capabilities granted to users and groups based on specific conditions. Like groups, security roles allow you to restrict access to resources for several users at once. By using security roles, you limit what the user can do. Security roles differ from groups as follows:

Security roles are computed and granted to users or groups dynamically, based on conditions such as user name, group membership, or the time of day. Groups are static.
Security roles can be scoped to specific resources within a single application in a Security Service Module, unlike groups, which are always scoped to an entire domain.

Granting a security role to a user or a group confers the defined access privileges to that user or group, as long as the user or group is in the security role. For example, an administrator may define a security role called AppAdmin, which has write access to the resources of a particular web application. Any user or group granted the AppAdmin security role then has write access to that URL (Web) resource. Multiple users or groups can be granted a single security role and a user or group can belong to multiple roles.

Dynamic Role Mapping

At runtime, the Security Service compares users or groups against a role condition to determine whether they should be dynamically granted a security role. This process is referred to as role mapping, and occurs just prior to when the security service renders an access decision for a protected resource. An access decision is the component of an Authorization provider that determines whether a subject has permission to perform a given operation on a resource.

This dynamic mapping of security roles to users or groups provides a very important benefit: users or groups can be granted a security role based on business rules, or the context of the request. For example, a user may be allowed to be in a Manager security role only while the actual manager is away. Dynamically granting this security role means that you do not need to change or redeploy your application to allow for such a temporarily arrangement. You simply specify the hours between which the temporary manager should have special privileges. Further, you do not need to remember to revoke these special capabilities when the actual manager returns, as you would if you temporarily added the user to a management group.

Understanding the Administration Policy

An administration policy is provided with the product to protect the Administration Application and its resources. This policy defines what tasks each role is allowed to perform within the console, which resources are protected, and how. While one user may be able to perform any and all tasks, you may want to allow other users to perform only a subset of those tasks. You can customize the administration policy by changing or replacing the roles and rules to suit your business needs. You may add users to each role or you may create your own roles with a new set of capabilities. You can customize the Admin policy and modify it to suit your needs.

Because you may have several different levels of administration (for example one administrator might manage resources and another might manage identities), you probably want to assign various tasks to different individuals.

The following security roles are defined by the administration policy:

Two additional roles, Anonymous Role and Everyone Role are also included, however, these have minimal rules written against them. The sections that follow describe each role and its capabilities. The capabilities of each role are not hard coded; they are determined by the policy rules. The rule set may be modified or completely replaced to change the capabilities as needed. Additionally, new roles may be created to provide other combinations of capabilities.

A user of the Administration Application is assigned to one or more of these roles to determine what capabilities they have. The only role assignment provided in the default policy is the assignment of the user system to the Admin role.

Policy data is represented in the console using a specific proprietary format that requires the use of qualifiers. For additional information on qualifiers and naming of policy elements, see Securing Resources and Defining Policy Rules, in the BEA WebLogic Enterprise Security Policy Managers Guide.

Note: After you understand the Admin policy design, you can begin modifying it to suit your own needs, as described in Default Admin Policy.

Admin Role

The Admin role has complete control over a set of policy elements:

Create users and groups, privileges and privilege groups, resources, etc.
View the server configuration, including the encrypted value of encrypted attributes
Modify the entire server configuration
Import and export policy data
Install and deploy Security Service Modules
Start, resume, and stop Administration Servers
Run queries

Anyone belonging to this role has all capabilities, except the ability to write deny rules. Although BEA discourages the use of deny rules, you can change the policy to allow this capability.

To view a list users and groups who belong to the Admin role, click Role, and then click Admin. The Roles pane displays the following information.

Figure 3-1 Roles Pane for Admin

Roles Pane for Admin

The Roles pane lists the rules assigning users and groups to roles. In this example, the user system is granted the Admin role for the root nodes of the Administration Application, WLES and WLESRecovery>>console. The privileges you define in your administration policy typically represent actions that you grant or deny. You grant or deny privileges through security rules. Typically sets of privileges are granted to Roles, then Roles are granted to users and groups.

To view the policy rules associated with the Admin role, click Role, click Admin, and then click Policy Inquiry.

Figure 3-2 Policy Rules for Admin Role

Policy Rules for Admin Role

The Policy Inquiry page lists each resource that the user is allowed to access and the privilege (for example, GET, POST, addMember, bind), that applies to that resource. Each entry in the resulting table shows the name of a Privilege (What action can the Admin take?), a Resource (What resource can the Admin access?), and any Policy Conditions that apply to the policy rule (What conditions apply to the rule?).

Notice the use of Policy Conditions; sys_user_q is a built-in system attribute defined as the current user in the system group: //user/wles/system/. For additional information on built-in system attributes, see "Securing Resources and Defining Policy Rules," in the BEA WebLogic Enterprise Security Policy Managers Guide.

A Resource is defined as it appears in the resource tree. For example, the resource referred to as policy>>WLES>>DefaultWebApp is represented in the console as follows:

Figure 3-3 Representation of the WLES Resource

Representation of the WLES Resource

Here, the DefaultWebApp is a child node bound to its parent: WLES. In turn, this node has one child resource node defined as url, which represents the URL of the default web application being protected.

Deployer Role

The Deployer security role has more limited control over a set of policy elements:

View the server configuration (except for encrypted attributes)
View, modify and deploy configuration and policy data
Run queries

No one is assigned to the Deployer role (as shown here). You may choose to add users to this role and modify the rules associated with it or you may create a new role that better suits your needs. To view the policy rules associated with this role, click Role, click Deployer, and then click Policy Inquiry.

Operator Role

The Operator security role has the following rights:

View the server configuration, except for encrypted attributes
Start the Administration Server
Run queries

There are no users assigned to this role. You may choose to add users to this role and modify the rules associated with it or you may create a new role that better suits your needs.

Monitor Role

The Monitor security role has the following rights:

Monitor the activities performed in the Administration Console
View the server configuration, except for encrypted attributes

This security role effectively provides read-only access to the Administration Console. There are no users assigned to this role. You may choose to add users to this role and modify the rules associated with it or you may create a new role that better suits your needs.

Everyone Role

The Everyone security role is assigned to all authenticated and unauthenticated users (allusers). The Everyone role is limited to the following rights:

Change their password
View the login page
Access unprotected resources and operations

You can assign privileges to allow additional capabilities. You may choose to add users to this role and modify the rules associated with it or you may create a new role that better suits your needs.

Anonymous Role

The Anonymous role has no rights and no users are assigned to this role. This role typically contains all unauthenticated users and allows access to only unprotected resources.

Resources

Table 3-1 lists the resources protected by the Admin Policy with a description of each one. You can write rules based on these resources to control what privileges users have within the Administration Application. By default, the admin resources are all nested below the //app/policy/WLES organization node. These resources are organized into a hierarchy to make writing policy simpler.

Table 3-1 Resources

Resource Name	Description
admin/Declaration/Attribute	Used to protect operations on attribute declarations.
admin/Declaration/Constant	Used to protect operations on constant declarations.
admin/Declaration/Enumeration	Used to protect operations on enumeration declarations.
admin/Declaration/EvaluationFunction	Used to protect operations on evaluation function declarations.
admin/Identity/Directory/Instance	Used to protect operations on identity directory instances.
admin/Identity/Directory/AttributeMapping/Single	Used to protect operations on what scalar attributes may be assigned to users within a directory.
admin/Identity/Directory/AttributeMapping/List	Used to protect operations on what vector attributes may be assigned to users within a directory.
admin/Identity/Subject/User	Used to protect operations on users.
admin/Identity/Subject/Group	Used to protect operations on groups.
admin/Identity/Subject/AttributeAssignment/Single	Used to protect operations on scalar subject attribute values.
admin/Identity/Subject/AttributeAssignment/List	Used to protect operations on vector subject attribute values.
admin/Identity/Subject/Password	Used to protect operations on user passwords.
admin/Resource/Instance	Used to protect operations on resources.
admin/Resource/AttributeAssignment/Single	Used to protect operations on scalar resource attribute values.
admin/Resource/AttributeAssignment/List	Used to protect operations on vector resource attribute values.
admin/Resource/MetaData/LogicalName	Used to protect operations on setting the "logical name" resource metadata.
admin/Resource/MetaData/IsApplication	Used to protect operations on setting the "is application" resource metadata.
admin/Resource/MetaData/IsDistributionPoint	Used to protect operations on setting the "is distribution point" metadata.
admin/Policy/Rule/Grant	Used to protect operations on grant rules.
admin/Policy/Rule/Deny	Used to protect operations on deny rules.
admin/Policy/Rule/Delegate	Used to protect operations on delegate rules.
admin/Policy/Action/Role/Instance	Used to protect operations on roles (when used as actions).
admin/Policy/Action/Privilege/Instance	Used to protect operations on privileges.
admin/Policy/Action/Privilege/Group	Used to protect operations on privilege groups.
admin/Policy/Analysis/InquiryQuery	Used to protect operations on policy inquiries.
admin/Policy/Analysis/VerificationQuery	Used to protect operations on policy verification.
admin/Infrastructure/Engines/ARME	Used to protect operations on definitions of the Authorization and Role Mapping Engine (ARME).
admin/Infrastructure/Engines/SCM	Used to protect operations on definitions of ther Service Control Manager (SCM)..
admin/Infrastructure/Management/Loader	Used to protect operations on the policy loader.
admin/Policy/Repository	Used to protect operations on the policy repository.

Privileges

Table 3-2 lists the privileges that apply to the security roles and describes each one. The view privilege is required to see the contents of an instance of a policy element, for example, to see the value of an attribute. The listAll privilege is needed to list all the instances of a particular type of policy element, for example, to see all the users in a directory. You may want to think of this as the difference between being able to open a file and to list a file in a directory. You can use these privileges in rules to control what operations administrators of the Administration Application may perform.

Table 3-2 Privileges

Privilege	Explanation
`create`	Create a policy element, including identities, directories, users, groups, attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
`view`	View the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, privileges and privilege groups.
`delete`	Delete a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
`cascadeDelete`	Delete an element and its sub-elements (no permission check is made on sub-elements), including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
`rename`	Rename a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
`modify`	Modify the contents of a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.
`listAll`	Filter lists of instances based on a pattern specification.
`addMember`	Add a member to a group.
`removeMember`	Remove a member from a group.
`execute`	Execute a policy analysis query.
`deployUpdate`	Deploy a policy update.
`deployStructuralChange`	Deploy a structural change.
`bind`	Bind a resource to an ASI Authorization and ASI Role Mapping provider.
`unbind`	Unbind a resource from an ASI Authorization and ASI Role Mapping provider.
`login`	Log on to the Administration Application, including the Administration Console, and the Policy Import and Export tools.
`copy`	Copy a policy element, including identities (identity directories, users, groups, identity attributes), resources and their attributes, configuration data and their bindings, and privileges and privilege groups.

Context Attributes

When the Administration Application performs an authorization check, contextual data is provided to allow for fine-grained protection of policy operations. For example, when creating a privilege, the name of the privilege is supplied as an attribute, enabling you to control access to a single unique privilege and to all privileges.

The following attributes are used by the Administration Application; additionally, you may use any of the standard built-in attributes which are always available during authorization.

Table 3-3 Context Attributes

Attribute Name	Data Type	Description
declaration	string	Name of a declaration.
data_type	string	The name of a data type, for example, a string, integer, date.
attribute_usage_type	Enumeration (resource_attribute, subject_attribute, dynamic_attribute)	Specifies the type of policy element with which an attribute declaration is associated.
new_name	string	Generic attribute used when renaming elements.
new_attribute_usage_type	Enumeration (resource_attribute, subject_attribute, dynamic_attribute)	The new value for this item used to modify operations.
value	string	Generic attribute used to represent the value of an element.
values	list of strings	Generic attribute used to represent the value of an element as a list.
directory	string	The name of a directory.
attribute	string	The name of an attribute.
default_value	string	The default value of an attribute.
default_values	list of strings	The default value of a list attribute.
new_default_value	string	Used in modification operations to represent the new default value of an attribute value.
new_default_values	list of strings	Used in modification operations to represent the new default value of a list attribute.
subject_name	string	The name of a subject.
subjects	list of strings	A list of subjects.
groups	list of strings	The group membership of the subject.
subject_type	Enumeration (user_subject, group_subject, role_subject)	The type of subject.
member_subject_type	Enumeration (user_subject, group_subject, role_subject)	The type of the subject group member.
member_subject	string	Name of subject group member.
action	string	Name of the action.
action_type	Enumeration (privilege_action, role_action)	Type of the action.
resource	string	The name of the resource.
resources	list of strings	A list of resources.
constraint	string	The constraint of a rule; this is the portion between the `if' and `;' exclusive.
new_action	string	Name of new action in a modified rule.
new_action_type	string	New action type in a modified rule.
new_resource	string	New resource in a modified rule.
new_subject_name	string	New subject name.
new_constraint	string	New constraint in a modified rule.
delegator	string	The name of the delegator in a rule.
new_delegator	string	New delegator in a modified rule.
actions	list of strings	A set of actions.
action_groups	list of strings	A list of privilege group names.
action_group	string	The name of a privilege group.
parent_resource	string	The parent of the resource.
meta_data	string	The name of the metadata item.
logical_name	string	The logical name of a resource.
deleted_directories	list of strings	A list of deleted directories.
deleted_engines	list of strings	A list of deleted engines.¹
deployed_engines	list of strings	A list of deployed engines.
deleted_bindings	list of strings	A list of deleted engine binding node pairs.
deleted_applications	list of strings	A list of deleted applications.
engine	string	The name of an ARME or SCM cluster.
engine_bindings	list of strings	A list of bindable resources bound to the ARME or SCM.
owner	string	The owner of analysis query.
effect_type	Enumeration (grant_effect, deny_effect, delegate_effect)	The type of rule effect.
title	string	The title of a analysis query.

1. The term engine refers to an ASI Authorization and ASI Role Mapper provider that are configured to operate in conjunction with one another. This combination of providers are configured to manage your authorization policy.

Evaluation Functions

The following evaluation functions are provided to help you write custom administration policies. They may be used in the constraint portion of rules to limit the applicability of the rule based on contextual information.

Table 3-4 Evaluation Functions

Function Name	Description
resource_is_child(c,p,[d])	Check if c a child of p. d is a Boolean standing for direct. By default, d is true, meaning check if c is directly a child of p. If false, then c may be a descendant of p at any depth.
subject_in_directory(s,d)	Check if subject s is in directory d. This does not guarantee that either s or d exists, only that based on the name one would be in the other.
subject_is_group(s) subject_is_user(s) subject_is_role(s)	Check if the subject of a user group or role.
action_is_privilege(a) action_is_role(a)	Check if the action is a privilege or role

Authorization Queries

Now that you have an understanding of the elements that make up the administration policy, it is important to understand when the administration system performs authorization queries and what contextual attribute data is supplied with that query. This is the data that you may reference when writing rules to protect the Administration Application.

Table 3-5 Authorization Queries

Admin Resource	Privilege	Context attributes	Description
Declaration/Attribute	create	declaration	Queried when user attempts to create a new attribute declaration.
	delete	declaration	Queried when user attempts to delete an attribute declaration.
	rename	declaration, new_name	Queried when user attempts to rename an attribute declaration.
	modify	declaration	Queried when user attempts to modify an attribute declaration.
Declaration/ Constant	create	declaration, value	Queried when user attempts to create a new constant.
	delete	declaration, value	Queried when user attempts to delete a constant.
	rename	declaration, value, new_name	Queried when user attempts to rename a constant.
	modify	declaration, value, new_value	Queried when user attempts to modify a constant.
Declaration/ Enumeration	create	declaration, value	Queried when user attempts to create a new enumeration.
	delete	declaration, value	Queried when user attempts to delete an enumeration.
	rename	declaration, value, new_name	Queried when user attempts to rename an enumeration.
	modify	declaration, value, new_value	Queried when user attempts to modify an enumeration.
Declaration/Evaluation Function	create	declaration	Queried when user attempts to create an evaluation function.
	delete	declaration	Queried when user attempts to delete an evaluation function.
	rename	declaration, new_name	Queried when user attempts to rename an evaluation function.
Identity/Directory/ Instance	create	directory	Queried when user attempts to create a directory.
	delete	directory	Queried when user attempts to delete a directory.
	cascade Delete	directory	Queried when user attempts to delete a directory and all its users.
	rename	directory, new_name	Queried when user attempts to rename a directory.
Identity/Directory/ AttributeMapping/ Single	create	attribute, default_value, directory	Queried when user attempts to add a scalar attribute to an attribute schema of a directory.
	delete	attribute, default_value, directory	Queried when user attempts to delete a scalar attribute from an attribute schema of a directory.
	modify	attribute, default_value, directory, new_default_value	Queried when user attempts to modify a scalar attribute in an attribute schema for a directory.
Identity/Directory/ AttributeMapping/ List	create	attribute, default_value, directory	Queried when user attempts to add a vector attribute to an attribute schema of a directory.
	delete	attribute, default_value directory	Queried when user attempts to delete a vector attribute from an attribute schema of a directory.
	modify	attribute, default_value, directory, new_default_value	Queried when user attempts to modify a vector attribute in an attribute schema of a directory.
Identity/Subject/User	create	subject_name	Queried when user attempts to create a new user.
	copy	subject_name, new_subject_name	Queried when user attempts to copy a user.
	delete	subject_name	Queried when user attempts to delete a user.
	cascade Delete	subject_name	Queried when user attempts to cascade a user and all rules associated with the user.
	rename	subject_name, new_subject_name	Queried when user attempts to rename a user.
Identity/Subject/Group	create	subject_name	Queried when user attempts to create a new group.
	delete	subject_name	Queried when user attempts to delete a group.
	rename	subject_name, new_subject_name	Queried when user attempts to rename a group.
	addMember	subject_name, member_subject	Queried when user attempts to add a member to a group.
	remove Member	subject_name, member_subject	Queried when user attempts to remove a member from a group.
Identity/Subject/ Attribute Assignment/ Single	create	attribute, value, subject_name	Queried when user attempts to set a value to a currently unset scalar subject attribute.
	delete	attribute, value, subject_name	Queried when user attempts to unset a currently set scalar subject attribute.
	modify	attribute, value, subject_name, new_value	Queried when user attempts to modify the value of a currently set scalar subject attribute.
Identity/Subject/ AttributeAssignment/ List	create	attribute, value, subject_name	Queried when user attempts to set a value to a currently unset vector subject attribute.
	delete	attribute, value, subject_name	Queried when user attempts to unset a currently set vector subject attribute.
	modify	attribute, value, subject_name, new_value	Queried when user attempts to modify the value of a currently set vector subject attribute.
Identity/Subject/ Password	modify	subject_name	Queried when user attempts to modify the password for a user. The subject_name attribute contains the name of the user for which the password is associated.
Resource/Instance	create	resource, resource_type	Queried when user attempts to create a new resource.
	delete	resource	Queried when user attempts to delete a resource.
	cascade Delete	resource	Queried when user attempts to cascade delete a resource. This includes deletion of all child resources and associated rules.
	rename	resource, new_name	Queried when user attempts to rename a resource.
Resource/Attribute Assignment/ Single	create	attribute, resource, value	Queried when user attempts to set a value to a currently unset scalar resource attribute.
	delete	attribute, resource, value	Queried when user attempts to unset a currently set scalar resource attribute.
	modify	attribute, resource, value, new_value	Queried when user attempts to modify the value of a currently set scalar resource attribute.
Resource/Attribute Assignment/ List	create	attribute, resource, value	Queried when user attempts to set a value to a currently unset vector resource attribute.
	delete	attribute, resource, value	Queried when user attempts to unset a currently set vector resource attribute.
	modify	attribute, resource, value, new_value	Queried when user attempts to modify the value of a currently set vector resource attribute.
Resource/MetaData/ IsApplication	modify	resource, value, new_value	Queried when user attempts to toggle the "is application" resource metadata.
Resource/MetaData/ IsDistributionPoint	modify	resource, value, new_value	Queried when user attempts to toggle the "is distribution point" resource metadata.
Resource/MetaData/ Logical Name	create	logical_name, resource	Queried when user attempts to create a logical name for a resource.
	delete	logical_name, resource	Queried when user attempts to delete a logical name for a resource.
	rename	logical_name, resource, new_name	Queried when user attempts to rename a logical name for a resource.
Policy/Rule/Grant	create	action, resource, subject_name, constraint	Queried when user attempts to create a new grant rule. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Queried when user attempts to delete a grant rule. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, constraint, new_action, new_resource, new_subject_name, new_constraint	Queried when user attempts to modify a grant rule.The "action", "resource", and "subject_name" attributes are lists.
Policy/Rule/Deny	create	action, resource, subject_name, constraint	Queried when user attempts to create a new deny rule. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, constraint	Queried when user attempts to delete a deny rule. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, action_type, resource, subject_name, subject_type, constraint, new_effect, new_action, new_action_type, new_resource, new_subject_name, new_subject_type, new_constraint	Queried when user attempts to modify a deny rule. The "action", "resource", and "subject_name" attributes are lists.
Policy/Rule/Delegate	create	action, resource, subject_name, delegator, constraint	Queried when user attempts to create a new delegate rule. "action", "resource", and "subject_name" attributes are lists.
	delete	action, resource, subject_name, delegator, constraint	Queried when user attempts to delete a delegate rule. The "action", "resource", and "subject_name" attributes are lists.
	modify	action, resource, subject_name, delegator, constraint, new_action, new_resource, new_subject_name, new_delegator, new_constraint	Queried when user attempts to modify a delegate rule. The "action", "resource", and "subject_name" attributes are lists.
Policy/Action/Role/ Instance	create	action	Queried when user attempts to create a new role.
	delete	action	Queried when user attempts to delete a role.
	rename	action, new_name	Queried when user attempts to rename a role.
Policy/Action/ Privilege/Instance	create	action	Queried when user attempts to create a privilege.
	delete	action	Queried when user attempts to delete a privilege.
	rename	action, new_name	Queried when user attempts to rename a privilege.
Policy/Action/ Privilege/Group	create	action_group	Queried when user attempts to create a privilege group.
	delete	action_group	Queried when user attempts to delete a privilege group.
	rename	action_group, new_name	Queried when user attempts to rename a privilege group.
	addMember	action_group, action	Queried when user attempts to add a privilege to a privilege group.
	remove Member	action_group, action	Queried when user attempts to remove a privilege from a privilege group.
Policy/Analysis/ Inquiry Query	create	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to create a new policy query.
	delete	title, owner	Queried when user attempts to delete a policy query.
	modify	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to modify a policy query.
	execute	title, owner, effect_type, subjects, actions, resources, delegator	Queried when user attempts to execute a policy query. If this is an unsaved query "title" and "owner" will be set to an emptystring.
Policy/Analysis/ Verification Query	create	title, owner, actions, resources	Queried when user attempts to create a new policy verification query.
	delete	title, owner	Queried when user attempts to delete a policy verification query.
	modify	title, owner, actions, resources	Queried when user attempts to modify a policy verification query.
	execute	title, owner, actions, resources	Queried when user attempts to execute a policy verification query. If this is an unsaved query "title" and "owner" will be set to an emptystring.
Policy/Repository	deploy Update	resource, directory	Queried when user attempts to deploy a policy update. "resource" is the distribution node and all nodes below it may be effected. This check is made for each chosen distribution point.
	deploy Structural Change	deleted_directories, deployed_engines, deleted_engines, deleted_bindings, deleted_applications	Queried when user attempts to deploy a structural change.
Infrastructure/Engines/ARME	create	engine	Queried when user attempts to create a new Security Service Module.
	delete	engine	Queried when user attempts to delete a Security Service Module.
	rename	engine, new_name	Queried when user attempts to rename a Security Service Module.
	bind	engine, resource	Queried when user attempts to bind a resource to a Security Service Module.
	unbind	engine, resource	Queried when user attempts to unbind a resource from a Security Service Module.
Infrastructure/Engines/SCM	create	engine	Queried when user attempts to create a Service Control Manager.
	delete	engine	Queried when user attempts to delete a Service Control Manager.
	rename	engine, new_name	Queried when user attempts to rename a Service Control Manager.
	bind	engine, resource	Queried when user attempts to bind a Security Service Module to a Service Control Manager. The "resource" contains the name of the Security Service Module.
	unbind	engine, resource	Queried when user attempts to unbind a Security Service Module from a Service Control Manager. The "resource" contains the name of the Security Service Module.
Infrastructure/ Management/Console	login		Queried when user attempts to login to the Administration Console.
Infrastructure/ Management/Loader	login		Queried when user attempts to login to the Policy Import tool.

Enumerated Types

Table 3-6 lists the name of each enumerated type used in the Admin policy.

Table 3-6 Enumerated Types

Name	Values	Description
attribute_usage_type_enum	(resource_attribute, subject_attribute, dynamic_attribute)	Specifies the valid usage for attributes.
subject_type_enum	(user_subject, group_subject, role_subject)	Specifies the valid subject types.
action_type_enum	(privilege_action, role_action)	Specifies the valid action types.
resource_type_enum	(organizational_resource, bindable_resource, component_resource)	Specifies the valid resource types.
effect_type_enum	(grant_effect, deny_effect, delegate_effect)	Specifies the valid effect types.

Default Admin Policy

Rules define capabilities that ultimately control what operations a user is allowed to perform within the Administration Application. The admin policy provided with the product defines a default set of capabilities.

Table 3-7 lists and describes the rules included in the default admin policy.

Table 3-7 Default Admin Policy Rules

Default Rule	Description
`grant(//priv/delete, //app/policy/WLES/admin, //role/Admin) if true;`	Grants members of the Admin role the ability to delete any policy element:
`grant(//priv/cascadeDelete, //app/policy/WLES/admin, //role/Admin) if true;`	Grants members of the Admin role the ability to perform the cascadeDelete operation on any policy element. Specifically, cascadeDelete applies to deletion of directories and resource hierarchies.
`grant(//priv/rename, //app/policy/WLES/admin, //role/Admin) if true;`	Grants members of the Admin role the ability to rename any policy element:
`grant(//priv/deployStructuralChange, //app/policy/WLES/admin/Policy/Repository, //role/Admin) if true;`	Grants members of the Admin role the ability to deploy structural changes:
`grant(//priv/login, //app/policy/WLES/admin/Infrastructure/ Management/Loader, //role/Admin) if true;`	Grants members of the Admin role the ability to use the policy loader tool:
`grant(//priv/copy, //app/policy/WLES/admin/Identity/ Subject/User, //role/Admin) if true;`	Grants members of the Admin role the ability to copy any policy element:
`grant([//priv/bind,//priv/unbind], //app/policy/WLES/admin/Infrastructure/ Engines, //role/Admin) if true;`	Grants members of the Admin role the ability to bind and unbind resources and configuration to ARMEs and SCMs respectively:
`grant(//priv/deployUpdate, //app/policy/WLES/admin/Policy/Repository, [//role/Admin,//role/Deployer]) if true;`	Grants members of the Admin and Deployer roles the ability to deploy policy updates:
`grant(//priv/modify, //app/policy/WLES/admin, [//role/Admin,//role/Deployer]) if true;`	Grants members of the Admin and Deployer roles the ability to modify any policy element:
`grant(//priv/view, //app/policy/WLES/admin, [//role/Admin,//role/Monitor, //role/Operator,//role/Deployer]) if true;`	Grants members of the Admin, Monitor, Operator, and Deployer roles the ability to view any policy element:
`grant(//priv/listAll, //app/policy/WLES/admin, [//role/Admin,//role/Monitor, //role/Operator,//role/Deployer]) if true;`	Grants members of the Admin, Monitor, Operator, and Deployer roles the ability to perform the listAll operation on any policy element:
`grant(//priv/modify, //app/policy/WLES/admin/Identity/Subject/ Password, //role/Everyone) if subject_name = sys_user_q;`	Grants members of the Everyone role the ability to modify their own password. Notice that members of Admin and Deployer roles can modify the password for any user.
`grant(//priv/create, [//app/policy/WLES/admin/Declaration, //app/policy/WLES/admin/Identity, //app/policy/WLES/admin/Infrastructure, //app/policy/WLES/admin/Resource], //role/Admin) if true;` `grant(//priv/create, [//app/policy/WLES/admin/Policy/Action, //app/policy/WLES/admin/Policy/Analysis, //app/policy/WLES/admin/Policy/Rule/ Delegate, //app/policy/WLES/admin/Policy/Rule/Grant], //role/Admin) if true;`	Grants members of the Admin role the ability to create most policy elements. The only type of policy element not included in this list is the deny: `//app/policy/WLES/admin/Policy/ Rule/Deny` which denies the Admin role the ability to create deny rules.
`grant([//priv/create,//priv/modify, //priv/view], //app/policy/WLES/admin/Policy/Analysis, [//role/Admin,//role/Monitor, //role/Operator,//role/Deployer]) if owner = sys_user_q;`	Grant members of the Admin, Monitor, Operator and Deployer roles the ability to create, modify, and view policy analysis queries of which they are the owner:
`grant(//priv/execute, //app/policy/WLES/admin/Policy/Analysis, [//role/Admin,//role/Monitor, //role/Operator,//role/Deployer]) if owner = sys_user_q or owner = "";`	Grants members of the Admin, Monitor, Operator and Deployer roles the ability to execute policy analysis queries of which they are the owner of, or of which have no owner:
`grant([//priv/addMember,//priv/ removeMember], //app/policy/WLES/admin, [//role/Admin,//role/Deployer]) if true;`	Grants members of the Admin and Deployer roles the ability to add and remove members to subject groups and privilege groups.
`grant(//role/Everyone, //app/policy/WLES, //sgrp/wles/allusers/) if true;`	Assigns all members in the WLES directory into the Everyone role.
`grant(//role/Admin, //app/policy/WLES, //user/wles/system/) if true;`	Assigns the system user into the Admin role.
`grant(//role/Anonymous, //app/policy/WLES, //user/wles/anonymous/);`	Assigns anonymous users the Anonymous role. Note: All unauthenticated users are members of the Anonymous role.

Example Policy Customizations

The default admin policy is intended to be customized to meet an individual customers needs. Because the dynamic roles may be granted contextually, you may make a user a member of a role within a limited scope. For example, you can make user Joe a member of the Admin role, but only over resources.

grant(//role/Admin, //app/policy/WLES/admin/Resource, //user/wles/Joe/) if true;

This allows Joe to act as an Administrator over resources, but does not give him rights to write policy.

To make your rule more explicit, you can let user Bob be an Administrator when modifying any policy element for a certain application. With an application with a resource rooted at //app/policy/PetStore, you can define the following rule.

grant(//role/Admin, //app/policy/WLES/admin, //user/wles/Bob/) if sys_defined(resource) and resource_is_child(resource, //app/policy/PetStore, no);

This allows Bob to act in the Admin role for any admin policy query involving the PetStore.

Now that you feel you understand the basic rules involved in constructing the Admin Policy, see see "Securing Resources and Defining Policy Rules," in the BEA WebLogic Enterprise Security Policy Managers Guide for additional information on how to implement rules.