Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server/Portal 9.2

Mapping Access Manager Roles to Principal Names

Note –

This section is not applicable for BEA WebLogic Portal 9.2.

If you are using this agent for BEA WebLogic Server 9.2 (not BEA WebLogic Portal 9.2) and the agent is set to the J2EE_POLICY filter mode, map Access Manager roles to the principal names in the respective application's deployment descriptor file (or files):

Access Manager roles are represented in UUIDs. For more information on UUIDs, see the following:

A UUID for an Access Manager role is mapped to the respective principal name in the weblogic.xml file or the weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.

Mapping is established by setting the property com.sun.identity.agents.config.privileged.attribute.mapping[] in the J2EE agent configuration file.

Note –

Ensure that the keys in the mapping are UUIDs corresponding to your site's Access Manager installation. The values are the principal names in the weblogic.xml file or the weblogic-ejb-jar.xml file.

In previous releases of BEA WebLogic, this mapping is not required. The UUIDs representing Access Manager roles are used directly in the weblogic.xml file or the weblogic-ejb-jar.xml file as principal names.

However, starting with BEA WebLogic 9.0, a principal name within the weblogic.xml file or the weblogic-ejb-jar.xml file must be of the NMTOKEN format. This format is mandated by the corresponding schema files.

Access Manager UUIDs include the following characters (equal sign, comma, and ampersand):

These characters are not in NMTOKEN character sets. Therefore, the UUIDs representing Access Manager roles cannot be used directly as principal names. Instead, they must be mapped to characters in the NMTOKEN character set, which includes letters and digits as well as the following characters (period, hyphen, underscore, and colon):

The following examples, which use “\” as an escape character before the special character “=,” illustrate how this property can be set:

dc\=iplanet,dc\=com] = am_manager_role
dc\=iplanet,dc\=com] = am_employee_role

For more information on this property, see the mapping-related attributes in Privileged Attribute Processing Properties.