This appendix describes the elements and attributes in system-jazn-data.xml, which is the default store for file-based identity and policy stores in Oracle Platform Security Services.
Note:
The file-based identity store is supported for JavaSE applications only.This appendix covers the following topics:
This section shows the element hierarchy of system-jazn-data.xml, or an application-specific jazn-data.xml file. The direct subelements of the <jazn-data> root element are:
<jazn-realm>
<policy-store>
<jazn-policy>
Note:
The<jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.Table B-1 Hierarchy of Elements in system-jazn-data.xml
| Hierarchy | Description |
|---|---|
<jazn-data> |
This is the top-level element in the |
<jazn-realm> {0 or 1}
<realm> {0 or more}
<name> {1}
<users> {0 or 1}
<user> {0 or more}
<name> {1}
<display-name> {0 or 1}
<description> {0 or 1}
<guid> {0 or 1}
<credentials> {0 or 1}
<roles> {0 or 1}
<role> {0 or more}
<name> {1}
<display-name> {0 or 1}
<description> {0 or 1}
<guid> {0 or 1}
<members> {0 or 1}
<member> {0 or more}
<type> {1}
<name> {1}
<owners> {0 or 1}
<owner> {0 or more}
<type> {1}
<name> {1}
|
The |
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
| <app-role> {1 or more}
| <name> {1}
| <class> {1}
| <display-name> {0 or 1}
| <description> {0 or 1}
| <guid> {0 or 1}
| <uniquename> {0 or 1}
| <extended-attributes> {0 or 1}
| | <attribute> {1 or more}
| | <name> {1}
| | <values> {1}
| | <value> {1 or more}
| <members> {0 or 1}
| <member> {1 or more}
| <name> {1}
| <class> {1}
| <uniquename> {0 or 1}
| <guid> {0 or 1}
<role-categories>
| <role-category>
| <name>
| <description>
| <members>
| <role-name-ref>
<resource-types>
| <resource-type>
| <name>
| <display-name>
| <description>
| <provider-name>
| <matcher-class>
| <actions-delimiter>
| <actions>
<resources>
| <resource>
| <name>
| <display-name>
| <description>
| <type-name-ref>
<permission-sets>
| <permission-set>
| <name>
| <member-resources>
| <member-resource>
| <resource-name>
| <type-name-ref>
| <actions>
<jazn-policy> {0 or 1}
| <grant> {0 or more}
| <description> {0 or 1}
| <grantee> {0 or 1}
| | <principals> {0 or 1}
| | <principal> {0 or more}
| | <name> {1}
| | <class> {1}
| | <uniquename> {0 or 1}
| | <guid> {0 or 1}
| | <codesource> {0 or 1}
| | <url> {1}
| <permissions> {0 or 1}
| <permission> {1 or more}
| <class> {1}
| <name> {0 or 1}
| <actions> {0 or 1}
|
The When
|
<jazn-policy> {0 or 1}
<grant> {0 or more}
<description> {0 or 1}
<grantee> {0 or 1}
| <principals> {0 or 1}
| <principal> {0 or more}
| <name> {1}
| <class> {1}
| <uniquename> {0 or 1}
| <guid> {0 or 1}
| <codesource> {0 or 1}
| <url> {1}
<permissions> {0 or 1}
<permission> {1 or more}
<class> {1}
<name> {0 or 1}
<actions> {0 or 1}
<permission-sets>
| <permission-set>
| <name>
|
When the
|
This section describes the elements and attributes in the system-jazn-data.xml file.
Notes:
You can update most settings in system-jazn-data.xml through Oracle Enterprise Manager Fusion Middleware Control.
This element specifies actions that are permitted with respect to the associated permission class and name. Values are case-sensitive and are specific to each Permission implementation. Examples of actions include "invoke" and "read,write".
None
Optional, zero or one:
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element represents the character used to separate the <actions> of the associated resource type.
<name>, <display-name>, <description>, <actions><roles>, <users>
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<resource-types>
<resource-type>
<name>
<display-name>
<description>
<provider-name>
<matcher-class>
<actions-delimiter>
<actions>
See Section 17.2.1.2.2, "Resource Permissions" for an example.
This element configures roles for an application.
Required subelements specify the following:
<name> specifies the name of the application role.
<class> specifies the fully qualified name of the class implementing the application role.
Optional subelements can specify the following:
<description> provides more information about the application role.
<display-name> specifies a display name for the application role, such as for use by GUI interfaces.
<guid> specifies a globally unique identifier to reference the application role. This is for internal use only.
<members> specifies the users, roles, or other application roles that are members of this application role.
<uniquename> specifies a unique name to reference the application role. This is for internal use only.
<class>, <description>, <display-name>, <guid>, <members>, <name>, <uniquename>
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <policy-store> for examples.
This is the parent element for <app-role> elements, which configure roles for an application.
Optional, zero or one:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store> for examples.
This element configures roles and policies for an application.
Required subelements specify the following information for an application:
<name> specifies the name of the application.
Optional subelements can specify the following:
<description> provides information about the application and its roles and policies.
<app-roles> specifies any application-level roles
<jazn-policy> specifies any application-level policies.
<app-roles>, <description>, , <jazn-policy>, <name>, <permission-sets>, <resource-types>, <resources>, <role-categories>
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store> for examples.
This is the parent element for <application> elements, which configure roles and policies for an application.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
See <policy-store> for an example.
This element specifies an additional attribute to associate with the application role.
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <guid> {0 or 1}
This element takes a string value and has several uses, depending on its location in the file:
Within the <app-role> element, <class> specifies the fully qualified name of the class implementing the application role.
<app-role> ... <class>oracle.security.jps.service.policystore.ApplicationRole</class>
Within the <member> element, <class> specifies the fully qualified name of the class implementing the role member.
<app-role>
...
<members>
<member>
...
<class>
weblogic.security.principal.WLSUserImpl
</class>
Within the <permission> element (for granting permissions to a principal), <class> specifies the fully qualified name of the class implementing the permission. Values are case-insensitive.
<jazn-policy>
<grant>
...
<permissions>
<permission>
<class>java.io.FilePermission</class>
Within the <principal> element (for granting permissions to a principal), it specifies the fully qualified name of the principal class, which is the class that is instantiated to represent a principal that is being granted a set of permissions.
<jazn-policy>
<grant>
...
<grantee>
<principals>
<principal>
...
<class>oracle.security.jps.service.policystore.TestUser</class>
<app-role>, <member>, <principal>, or <permission>
None
Required, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} ... <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> and <policy-store> for examples.
This element specifies a codesource URL to which permissions are being granted as part of a policy configuration.
The policy configuration can also include a <principals> element, in addition to the <codesource> element. Both elements are children of a <grantee> element and they specify who or what the permissions in question are being granted to.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element contains the authentication password for a user. The credentials are in obfuscated form by default.
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1}
See <jazn-realm> for examples.
This element contains a text string to provide more information about an item. An item can be an application role, application policy, permission grant, security role, or user, depending on the parent element.
<app-role>, <application>, <grant>, <role>, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} ... <description> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} ... <description> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ... <description> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1}
The fmwadmin user might have the following description:
<description>User with administrative privileges</description>
See <jazn-realm> for additional examples.
This element specifies an item's name that can be used for display by a GUI tool. An item can be an application role, user, or enterprise group, depending on the parent element.
<app-role>, <role>, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1}
The fmwadmin user might have the following display name:
<display-name>Administrator</display-name>
See <jazn-realm> for additional examples.
This element specifies additional attributes associated with the application role.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship For the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>
This element contains elements that assign a set of permissions to a grantee (a codesource, or a set of principals, or both) as part of a policy configuration.
<description>, <grantee>, <permissions>, <permission-sets>
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element is used in conjunction with a parallel <permissions> element to specify who or what the permissions are granted to: a set of principals, a codesource, or both.
This is used for policy configuration.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element is for internal use. It specifies a globally unique identifier (GUID) to reference the item.
Depending on the parent element, the item to be referenced may be an application role, application role member, principal, enterprise group, or user. It is typically used with an LDAP provider to uniquely identity the item (a user, for example). A GUID is sometimes generated and used internally by Oracle Platform Security Services, such as in migrating a user or role to a different security provider. It is not an item that you would set yourself.
<app-role>, <member>, <principal>, <role>, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} ...
See <jazn-realm> for examples.
This is the top-level element in the system-jazn-data.xml file-based identity and policy store.
| Name | Description |
|---|---|
schema-major-version |
Specifies the major version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 11 for use with Oracle Fusion Middleware 11g. |
schema-minor-version |
Specifies the minor version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 0 for use with the Oracle Fusion Middleware 11.1.1 implementation. |
n/a
<jazn-policy>, <jazn-realm>, <policy-store>
Required, one only
<jazn-data ... > {1} <jazn-realm> {0 or 1} ...
<policy-store> {0 or 1}
...
<jazn-policy> {0 or 1}
...
<jazn-data
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation=
"http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
...
</jazn-data
This element configures policy grants that associate grantees (principals or codesources) with permissions.
This element can appear in two different locations in the system-jazn-data.xml file:
Under the <jazn-data> element, it specifies global policies.
Under the <application> element, it specifies application-level policies.
Optional, zero or one
<jazn-data> {1} <jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<class>
oracle.security.jps.service.policystore.TestUser
</class>
<name>jack</name>
</principal>
<principal>
<class>
oracle.security.jps.service.policystore.TestUser
</class>
<name>jill</name>
</principal>
</principals>
<codesource>
<url>http://www.oracle.com/policyOnly</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.JpsPermission</class>
<name>getContext</name>
</permission>
<permission>
<class>java.io.FilePermission</class>
<name>/foo</name>
<actions>read,write</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<class>
oracle.security.jps.service.policystore.TestAdminRole
</class>
<name>Farm=farm1,name=FullAdministrator</name>
</principal>
</principals>
<codesource>
<url>file://some-file-path</url>
</codesource>
</grantee>
<permissions>
permission>
<class>javax.management.MBeanPermission</class>
<name>
oracle.as.management.topology.mbeans.InstanceOperations#getAttribute
</name>
<actions>invoke</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
This element specifies security realms, and the users and enterprise groups (as opposed to application-level roles) they include.
This is the top-level element for user and role information.
| Name | Description |
|---|---|
default |
Specifies which of the realms defined under this element is the default realm. The value of this attribute must match a <name> value under one of the <realm> subelements.
Values: string Default: n/a (required) |
Optional, zero or one
<jazn-data> {1} <jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
<jazn-data ... >
...
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user deactivated="true">
<name>anonymous</name>
<guid>61FD29C0D47E11DABF9BA765378CF9F3</guid>
<description>The default guest/anonymous user</description>
</user>
<user>
<name>developer1</name>
<credentials>!password</credentials>
</user>
<user>
<name>developer2</name>
<credentials>!password</credentials>
</user>
<user>
<name>manager1</name>
<credentials>!password</credentials>
</user>
<user>
<name>manager2</name>
<credentials>!password</credentials>
</user>
<!-- these are for testing the admin role hierachy. -->
<user>
<name>farm-admin</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-monitor</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-operator</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-auditor</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-auditviewer</name>
<credentials>!password</credentials>
</user>
</users>
<roles>
<role>
<name>users</name>
<guid>31FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>users</display-name>
<description>users role for rmi/ejb access</description>
</role>
<role>
<name>ascontrol_appadmin</name>
<guid>51FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>ASControl App Admin Role</display-name>
<description>
Application Administrative role for ASControl
</description>
</role>
<role>
<name>ascontrol_monitor</name>
<guid>61FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>ASControl Monitor Role</display-name>
<description>Monitor role for ASControl</description>
</role>
<role>
<name>developers</name>
<members>
<member>
<type>user</type>
<name>developer1</name>
</member>
<member>
<type>user</type>
<name>developer2</name>
</member>
</members>
</role>
<role>
<name>managers</name>
<members>
<member>
<type>user</type>
<name>manager1</name>
</member>
<member>
<type>user</type>
<name>manager2</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
...
</jazn-data>
This element represents the fully qualified name of the class representing a resource type; queries for resources of this type delegate to this matcher class. Values are case-sensitive.
None
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories> {0 or 1}
...
<resource-types> {0 or 1}
<resource-type> {1 or more}
<name> {1}
<display-name> {1}
<description> {0 or 1}
<provider-name> {1}
<matcher-class> {1}
<actions-delimiter> {1}
<actions> {1 or more}
See Section 17.2.1.2.1, "Resource Type" for an example.
This element can be found under a <role> or <app-role> element:
When under a <role> element, it specifies a member of the enterprise group. A member can be a user or another enterprise group. The <name> subelement specifies the name of the member, and the <type> subelement specifies whether the member type (a user or an enterprise group).
When under an <app-role> element, it specifies a member of the application role. A member can be a user, an enterprise group, or an application role. The <name> subelement specifies the name of the member, and the <class> subelement specifies the class that implements it. The member type is determined through the <class> element.
Optional subelements include <uniquename> and <guid>, which specify a unique name and unique global identifier; these optional subelements are for internal use only.
When under a <role> element, the <member> element has the following child elements: <name>, <type>
When under an <app-role> element, the <member> element has the following child elements: <name>, <class>, <uniquename>, <guid>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm> and <policy-store> for examples.
This element represents resources for a permission set.
<resource-name>, <type-name-ref>, <actions>
Required within <member-resources>, one or more.
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<permission-sets>
<permission-set>
<name>
<member-resources>
<member-resource>
<resource-name>
<type-name-ref>
<actions>
See Section 17.2.1.2.4, "Permission Set (or Entitlement)" for an example.
This is the parent element for <member-resource> elements.
Required within <permission-sets>; one or more.
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<permission-sets>
<permission-set>
<name>
<member-resources>
<member-resource>
<resource-name>
<type-name-ref>
<actions>
See Section 17.2.1.2.4, "Permission Set (or Entitlement)" for an example.
This is the parent element for <member> elements.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm> and <policy-store> for examples.
This element has different uses, depending on its location in the file:
Within the <app-role> element, it specifies the name of an application-level role in the policy configuration. For example:
<name>Farm=farm1,name=FullAdministrator</name>
Or a simpler example:
<name>Myrolename</name>
Within the <application> element, it specifies the policy context identifier. Typically, this is the name of the application during deployment.
Within the <attribute> element, it specifies the name of an additional attribute for the application-level role.
Within the <member> element, it specifies the name of a member of an enterprise group or application role (depending on where the <member> element is located). For example, if the fmwadmin user is to be a member of the role:
<name>fmwadmin</name>
Within the <owner> element, it specifies the name of an owner of an enterprise group. For example:
<name>mygroupowner</name>
Within the <permission> element, as applicable, it can specify the name of a permission that is meaningful to the permission class. Values are case-sensitive. For example:
<name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name>
Or:
<name>getContext</name>
Within the <principal> element (for granting permissions to a principal), it specifies the name of a principal within the given realm. For example:
<name>Administrators</name>
Within the <realm> element, it specifies the name of a realm. For example:
<name>jazn.com</name>
Within the <role> element, it specifies the name of an enterprise group in a realm. For example:
<name>Administrators</name>
Within the <user> element, it specifies the name of a user in a realm. For example:
<name>fmwadmin</name>
Within the <resource-type> element, it specifies the name of a resource type and is required. For example:
<name>restype1</name>
<app-role>, <application>, <attribute>, <member>, <owner>, <permission>, <principal>, <realm>, <role>, or <user>
None
Required within any parent element other than <permission>, one only; optional within <permission>, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<application>
<name>peanuts</name>
<app-roles>
<app-role>
<name>snoopy</name>
<display-name>application role snoopy</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<member>
.......
See <jazn-policy>, <jazn-realm>, and <policy-store> for examples.
This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.
An owner is a user or another enterprise group. The <type> subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.
Note:
To create a group owner in Oracle Internet Directory, use the Oracle Delegated Administration Services. For external (third-party) LDAP servers, set values for the group's owner attribute throughldapmodify or tools of the particular directory server.Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This is the parent element for <owner> elements.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.
Required within parent element, one or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This is the parent element for <permission> elements.
The <permissions> element (used in conjunction with a parallel <grantee> element) specifies the permissions being granted, through a set of <permission> subelements.
Note:
Thesystem-jazn-data.xml schema definition does not specify this as a required element, but the Oracle Platform Security runtime implementation requires its use within any <grant> element.Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element specifies a set of permissions.
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<permission-sets>
<permission-set>
<name>
<member-resources>
<member-resource>
<resource-name>
<type-name-ref>
<actions>
See Section 17.2.1.2.4, "Permission Set (or Entitlement)" for an example.
This is the parent element for <permission-set>. Permission sets are also known as entitlements.
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<permission-sets>
<permission-set>
<name>
<member-resources>
<member-resource>
<resource-name>
<type-name-ref>
<actions>
See Section 17.2.1.2.4, "Permission Set (or Entitlement)" for an example.
This element configures application-level policies, through an <applications> subelement. Under the <applications> element is an <application> subelement for each application that is to have application-level policies. The policies are specified through a <jazn-policy> subelement of each <application> element.
Note:
The<jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.Optional, zero or one
<jazn-data> {1} <policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
<jazn-data ... >
...
<policy-store>
<!-- application policy -->
<applications>
<application>
<name>policyOnly</name>
<jazn-policy>
...
</jazn-policy>
</application>
<application>
<name>roleOnly</name>
<app-roles>
<app-role>
<name>Fellowship</name>
<display-name>Fellowship of the Ring</display-name>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
</app-role>
<app-role>
<name>King</name>
<display-name>Return of the King</display-name>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
</app-role>
</app-roles>
</application>
<application>
<app-roles>
<app-role>
<name>Farm=farm1,name=FullAdministrator</name>
<display-name>farm1.FullAdministrator</display-name>
<guid>61FD29C0D47E11DABF9BA765378CF9F2</guid>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
<members>
<member>
<class>
oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl
</class>
<name>admin</name>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
...
</jazn-policy>
</application>
...
</applications>
</policy-store
....
</jazn-data
See <jazn-policy> for examples of that element.
This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.
Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).
For details about how principal names can be compared, see Section 2.7, "Principal Name Comparison Logic."
<class>, <guid>, <name>, <uniquename>
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This is the parent element for <principal> elements.
For policy configuration, a <principals> element and/or a <codesource> element are used under a <grantee> element to specify who or what the permissions in question are being granted to. A <principals> element specifies a set of principals being granted the permissions.
For a subject to be granted these permissions, the subject should include all the specified principals.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy> for examples.
This element represents the name of a resource type provider. The resource resides in a location external to the OPSS policy store. Values are case-insensitive.
None
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<resource-types>
<resource-type>
<name>
<display-name>
<description>
<provider-name>
<matcher-class>
<actions-delimiter>
<actions>
See Section 17.2.1.2.1, "Resource Type" for an example.
This element specifies a security realm, and the users and roles that belong to the realm.
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
See <jazn-realm> for an example.
This element specifies an application resource and contains information about the resource.
<name>, <description>, <display-name>, <type-name-ref>.
Required under <resources>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
This element specifies a collection of application resources.
Optional, zero or more
<resources> (0 or more)
<resource> (1 or more)
<name> (1)
<display-name> (1)
<description> {0 or 1}
<type-name-ref> (1)
This element specifies a member resource in a permission set. Values are case-sensitive.
None
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<permission-sets>
<permission-set>
<name>
<member-resources>
<member-resource>
<resource-name>
<type-name-ref>
<actions>
See Section 17.2.1.2.4, "Permission Set (or Entitlement)" for an example.
This element represents the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.
<name>, <display-name>, <description>, <actions>, <actions-delimiter>, <matcher-class>, <provider-name>.
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<resource-types>
<resource-type>
<name>
<display-name>
<description>
<provider-name>
<matcher-class>
<actions-delimiter>
<actions>
See Section 17.2.1.2.1, "Resource Type" for an example.
This is the parent element of <resource-type>.
Optional, zero or more
<policy-store> {0 or 1}
<applications> {0 or 1}
<application> {1 or more}
<name> {1}
<description> {0 or 1}
<app-roles> {0 or 1}
...
<role-categories>
...
<resource-types>
<resource-type>
<name>
<display-name>
<description>
<provider-name>
<matcher-class>
<actions-delimiter>
<actions>
See Section 17.2.1.2.1, "Resource Type" for an example.
This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.
<description>, <display-name>, <guid>, <members>, <name>, <owners>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm> for examples.
This is the parent element for <role-category> elements. Each role belongs to a role category.
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name>
See Section 17.2.3.1, "Using the Method checkPermission" for an example.
This element specifies the category to which an application role belongs.
<name>, <display-name>, <description>, <members>
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name> <members>
See Section 17.2.3.1, "Using the Method checkPermission" for an example.
This element represents a role within a role category.
None
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <members> <role-name-ref>
This is the parent element for <role> elements. It specifies the set of enterprise security roles that belong to a security realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm> for an example.
This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:
<type>user</type>
Or:
<type>role</type>
None
Required, one only
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm> for examples.
This element represents the resource type of a resource.
None
Required within <resource> or <member-resource>.
<resources> (0 or more)
<resource> (1 or more)
<name> (1)
<display-name> (1)
<description> {0 or 1}
<type-name-ref> (1)
See Section 17.2.1.2.3, "Resource (or Resource Instance)" for an example.
This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It is typically used with an LDAP provider to uniquely identity the item (an application role member, for example). A unique name is sometimes generated and used internally by Oracle Platform Security.
The unique name for an application role would be: "appid=application_name, name=actual_rolename". For example:
<principal>
<class>
oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal
</class>
<uniquename>
APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR"
</uniquename>
</principal>
<app-role>, <member>, or <principal>
None
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
This element specifies the URL of the codesource being granted the permissions in question. This element is used within a <codesource> element to specify policy grant configuration.
Note the following usage rules:
You cannot restrict permissions to a single class.
Code source url value trailing with ".jar" matches the JAR files in the specified directory.
Code source url value trailing with "/" matches all class files (not JAR files) in the specified directory.
Code source url value trailing with "/*" matches all files (both class and JAR files) in the specified directory.
Code source url value trailing with "/-" matches all files (both class and JAR files) in the specified directory, and recursively matches all subdirectories of that directory.
None
Required within parent element, one only
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<grant>
<grantee>
<codesource>
<url>http://www.oracle.com</url>
</codesource>
</grantee>
See <jazn-policy> for examples.
This element specifies a user within a realm.
| Name | Description |
|---|---|
deactivated |
Specifies whether the user is valid or not.
Set this attribute to Values: Default: |
<name>, <display-name>, <description>, <guid>, <credentials>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm> for examples.
This is the parent element for the <user> elements. It specifies the set of users who belong to a realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm> for an example.
This element specifies a value for an attribute. You can specify additional attributes for application-level roles using the <extended-attributes> element.
None
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship of the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>
This is the parent element for the <value> elements, each of which specify a value for an attribute. An attribute can have more than one value.
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship of the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>