This appendix describes the elements and attributes in system-jazn-data.xml
, which is the default store for file-based identity and policy stores in Oracle Platform Security Services.
Note:
The file-based identity store is supported for Java SE applications only.This appendix covers the following topics:
This section shows the element hierarchy of system-jazn-data.xml
, or an application-specific jazn-data.xml
file. The direct subelements of the <jazn-data>
root element are:
<jazn-realm>
<policy-store>
<jazn-policy>
Note:
The<jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
schema definition as subelements of <policy-store>
, but are for backward compatibility only.Table B-1 Hierarchy of Elements in system-jazn-data.xml
Hierarchy | Description |
---|---|
<jazn-data> |
This is the top-level element in the |
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1} |
The |
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} | <app-role> {1 or more} | <name> {1} | <class> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <guid> {0 or 1} | <uniquename> {0 or 1} | <extended-attributes> {0 or 1} | | <attribute> {1 or more} | | <name> {1} | | <values> {1} | | <value> {1 or more} | <members> {0 or 1} | <member> {1 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} <role-categories> | <role-category> | <name> | <display-name> | <description> | <members> | <role-name-ref> <resource-types> | <resource-type> | <name> | <display-name> | <description> | <provider-name> | <matcher-class> | <actions-delimiter> | <actions> <resources> | <resource> | <name> | <display-name> | <description> | <type-name-ref> <permission-sets> | <permission-set> | <name> | <member-resources> | <member-resource> | <resource-name> | <type-name-ref> | <actions> <jazn-policy> {0 or 1} | <grant> {0 or more} | <description> {0 or 1} | <grantee> {0 or 1} | | <principals> {0 or 1} | | <principal> {0 or more} | | <name> {1} | | <class> {1} | | <uniquename> {0 or 1} | | <guid> {0 or 1} | | <codesource> {0 or 1} | | <url> {1} | <permissions> {0 or 1} | <permission> {1 or more} | <class> {1} | <name> {0 or 1} | <actions> {0 or 1} |
The When
|
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} | <principals> {0 or 1} | <principal> {0 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} | <codesource> {0 or 1} | <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1} <permission-sets> | <permission-set> | <name> |
When the
|
This section describes the elements and attributes in the system-jazn-data.xml
file.
Notes:
You can update most settings in system-jazn-data.xml
through Oracle Enterprise Manager Fusion Middleware Control.
This element specifies the operations permitted by the associated permission class. Values are case-sensitive and are specific to each permission implementation. Examples of actions are "invoke" and "read,write".
None
Optional, zero or one:
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the character used to separate the actions of the associated resource type.
<name>
, <display-name>
, <description>
, <actions>
<roles>
, <users>
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
For an example, see <resource-type>.
This element specifies an application role.
Required subelements specify the following:
<name>
specifies the name of the application role.
<class>
specifies the fully qualified name of the class implementing the application role.
Optional subelements can specify the following:
<description>
provides more information about the application role.
<display-name>
specifies a display name for the application role, such as for use by GUI interfaces.
<guid>
specifies a globally unique identifier to reference the application role. This is for internal use only.
<members>
specifies the users, roles, or other application roles that are members of this application role.
<uniquename>
specifies a unique name to reference the application role. This is for internal use only.
<class>
, <description>
, <display-name>
, <guid>
, <members>
, <name>
, <uniquename>
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <policy-store>
for examples.
This element specifies a set of application roles.
Optional, zero or one:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store>
for examples.
This element specifies roles and policies for an application.
Required subelements specify the following information for an application:
<name>
specifies the name of the application.
Optional subelements can specify the following:
<description>
provides information about the application and its roles and policies.
<app-roles>
specifies any application-level roles
<jazn-policy>
specifies any application-level policies.
<app-roles>
, <description>
,, <jazn-policy>
, <name>
, <permission-sets>
, <resource-types>
, <resources>
, <role-categories>
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store>
for examples.
This element specifies a set of applictions.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
See <policy-store>
for an example.
This element specifies an attribute of an application role.
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <guid> {0 or 1}
This element specifies several values depending on its location in the configuration file:
Within the <app-role>
element, <class>
specifies the fully qualified name of the class implementing the application role.
<app-role> ... <class>oracle.security.jps.service.policystore.ApplicationRole</class>
Within the <member>
element, <class>
specifies the fully qualified name of the class implementing the role member.
<app-role> ... <members> <member> ... <class> weblogic.security.principal.WLSUserImpl </class>
Within the <permission>
element (for granting permissions to a principal), <class>
specifies the fully qualified name of the class implementing the permission. Values are case-insensitive.
<jazn-policy> <grant> ... <permissions> <permission> <class>java.io.FilePermission</class>
Within the <principal>
element (for granting permissions to a principal), it specifies the fully qualified name of the principal class, which is the class that is instantiated to represent a principal that is being granted a set of permissions.
<jazn-policy> <grant> ... <grantee> <principals> <principal> ... <class>oracle.security.jps.service.policystore.TestUser</class>
<app-role>
, <member>
, <principal>
, or <permission>
None
Required, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} ... <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
and <policy-store>
for examples.
This element specifies the URL of the code to which permissions are granted.
The policy configuration can also include a <principals>
element, in addition to the <codesource>
element. Both elements are children of a <grantee>
element and they specify who or what the permissions in question are being granted to.
For variables that can be used in the specification of a <codesource>
URL, see <url>.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the authentication password for a user. The credentials are, by default, in obfuscated form.
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1}
See <jazn-realm>
for examples.
This element specifies a text string that provides textual information about an item. Depending on the parent element, the item can be an application role, application policy, permission grant, security role, or user.
<app-role>
, <application>
, <grant>
, <role>
, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} ... <description> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} ... <description> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ... <description> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1}
The fmwadmin
user might have the following description:
<description>User with administrative privileges</description>
See <jazn-realm>
for additional examples.
This element specifies the name of an item typically used by a GUI tool. Depending on the parent element, an item can be an application role, user, or enterprise group.
<app-role>
, <role>
, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1}
The fmwadmin
user might have the following display name:
<display-name>Administrator</display-name>
See <jazn-realm>
for additional examples.
This element specifies attributes of an application role.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship For the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
This element specifies the recipient of the grant - a codesource, or a set of principals, or both- and the permissions assigned to it.
<description>
, <grantee>
, <permissions>
, <permission-sets>
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element, in conjunction with a parallel <permissions>
element, specifies who or what the permissions are granted to: a set of principals, a codesource, or both.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element is for internal use only. It specifies a globally unique identifier (GUID) to reference the item.
Depending on the parent element, the item to be referenced may be an application role, application role member, principal, enterprise group, or user. It is typically used with an LDAP provider to uniquely identity the item (a user, for example). A GUID is sometimes generated and used internally by Oracle Platform Security Services, such as in migrating a user or role to a different security provider. It is not an item that you would set yourself.
<app-role>
, <member>
, <principal>
, <role>
, or <user>
None
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} ...
See <jazn-realm>
for examples.
This element specifies the top-level element in the system-jazn-data.xml
file-based policy store.
Name | Description |
---|---|
schema-major-version |
Specifies the major version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 11 for use with Oracle Fusion Middleware 11g. |
schema-minor-version |
Specifies the minor version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 0 for use with the Oracle Fusion Middleware 11.1.1 implementation. |
n/a
<jazn-policy>
, <jazn-realm>
, <policy-store>
Required, one only
<jazn-data ... > {1} <jazn-realm> {0 or 1} ...
<policy-store> {0 or 1} ...
<jazn-policy> {0 or 1} ...
<jazn-data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation= "http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd"> ... </jazn-data
This element specifies policy grants that associate grantees (principals or codesources) with permissions.
This element can appear in two different locations in the system-jazn-data.xml
file:
Under the <jazn-data>
element, it specifies global policies.
Under the <application>
element, it specifies application-level policies.
Optional, zero or one
<jazn-data> {1} <jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jack</name> </principal> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jill</name> </principal> </principals> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> <permission> <class>oracle.security.jps.JpsPermission</class> <name>getContext</name> </permission> <permission> <class>java.io.FilePermission</class> <name>/foo</name> <actions>read,write</actions> </permission> </permissions> </grant> </jazn-policy>
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestAdminRole </class> <name>Farm=farm1,name=FullAdministrator</name> </principal> </principals> <codesource> <url>file://some-file-path</url> </codesource> </grantee> <permissions> permission> <class>javax.management.MBeanPermission</class> <name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name> <actions>invoke</actions> </permission> </permissions> </grant> </jazn-policy>
This element specifies security realms and the users and enterprise groups (as opposed to application-level roles) they include, and is the top-level element for user and role information
Name | Description |
---|---|
default |
Specifies which of the realms defined under this element is the default realm. The value of this attribute must match a <name> value under one of the <realm> subelements.
Values: string Default: n/a (required) |
Optional, zero or one
<jazn-data> {1} <jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
<jazn-data ... > ... <jazn-realm default="jazn.com"> <realm> <name>jazn.com</name> <users> <user deactivated="true"> <name>anonymous</name> <guid>61FD29C0D47E11DABF9BA765378CF9F3</guid> <description>The default guest/anonymous user</description> </user> <user> <name>developer1</name> <credentials>!password</credentials> </user> <user> <name>developer2</name> <credentials>!password</credentials> </user> <user> <name>manager1</name> <credentials>!password</credentials> </user> <user> <name>manager2</name> <credentials>!password</credentials> </user> <!-- these are for testing the admin role hierachy. --> <user> <name>farm-admin</name> <credentials>!password</credentials> </user> <user> <name>farm-monitor</name> <credentials>!password</credentials> </user> <user> <name>farm-operator</name> <credentials>!password</credentials> </user> <user> <name>farm-auditor</name> <credentials>!password</credentials> </user> <user> <name>farm-auditviewer</name> <credentials>!password</credentials> </user> </users> <roles> <role> <name>users</name> <guid>31FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>users</display-name> <description>users role for rmi/ejb access</description> </role> <role> <name>ascontrol_appadmin</name> <guid>51FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl App Admin Role</display-name> <description> Application Administrative role for ASControl </description> </role> <role> <name>ascontrol_monitor</name> <guid>61FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl Monitor Role</display-name> <description>Monitor role for ASControl</description> </role> <role> <name>developers</name> <members> <member> <type>user</type> <name>developer1</name> </member> <member> <type>user</type> <name>developer2</name> </member> </members> </role> <role> <name>managers</name> <members> <member> <type>user</type> <name>manager1</name> </member> <member> <type>user</type> <name>manager2</name> </member> </members> </role> </roles> </realm> </jazn-realm> ... </jazn-data>
This element specifies the fully qualified name of the class within a resource type; queries for resources of this type delegate to this matcher class. Values are case-sensitive.
None
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {1 or more}
For an example, see <resource-type>.
This element specifies the members of a set, such as a <role>
or an<app-role>
element:
When under a <role>
element, it specifies a member of the enterprise group. A member can be a user or another enterprise group. The <name>
subelement specifies the name of the member, and the <type>
subelement specifies whether the member type (a user or an enterprise group).
When under an <app-role>
element, it specifies a member of the application role. A member can be a user, an enterprise group, or an application role. The <name>
subelement specifies the name of the member, and the <class>
subelement specifies the class that implements it. The member type is determined through the <class>
element.
Optional subelements include <uniquename>
and <guid>
, which specify a unique name and unique global identifier; these optional subelements are for internal use only.
When under a <role>
element, the <member>
element has the following child elements: <name>
, <type>
When under an <app-role>
element, the <member>
element has the following child elements: <name>
, <class>
, <uniquename>
, <guid>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm>
and <policy-store>
for examples.
This element specifies resources for a permission set.
<resource-name>
, <type-name-ref>,<actions>
Required within <member-resources>, one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
For an example, see <permission-set>.
This element specifies a set of member resources.
Required within <permission-sets>; one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
For an example, see <permission-set>.
This element specifies a set of members.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm>
and <policy-store>
for examples.
This element has different uses, depending on its location in the file:
Within the <app-role>
element, it specifies the name of an application-level role in the policy configuration. For example:
<name>Farm=farm1,name=FullAdministrator</name>
Or a simpler example:
<name>Myrolename</name>
Within the <application>
element, it specifies the policy context identifier. Typically, this is the name of the application during deployment.
Within the <attribute>
element, it specifies the name of an additional attribute for the application-level role.
Within the <member>
element, it specifies the name of a member of an enterprise group or application role (depending on where the <member>
element is located). For example, if the fmwadmin
user is to be a member of the role:
<name>fmwadmin</name>
Within the <owner>
element, it specifies the name of an owner of an enterprise group. For example:
<name>mygroupowner</name>
Within the <permission>
element, as applicable, it can specify the name of a permission that is meaningful to the permission class. Values are case-sensitive. For example:
<name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name>
Or:
<name>getContext</name>
Within the <principal>
element (for granting permissions to a principal), it specifies the name of a principal within the given realm. For example:
<name>Administrators</name>
Within the <realm>
element, it specifies the name of a realm. For example:
<name>jazn.com</name>
Within the <role>
element, it specifies the name of an enterprise group in a realm. For example:
<name>Administrators</name>
Within the <user>
element, it specifies the name of a user in a realm. For example:
<name>fmwadmin</name>
Within the <resource-type>
element, it specifies the name of a resource type and is required. For example:
<name>restype1</name>
<app-role>
, <application>
, <attribute>
, <member>
, <owner>
, <permission>
, <principal>
, <realm>
, <role>
, or <user>
None
Required within any parent element other than <permission>
, one only; optional within <permission>
, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<application> <name>peanuts</name> <app-roles> <app-role> <name>snoopy</name> <display-name>application role snoopy</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> .......
See <jazn-policy>
, <jazn-realm>
, and <policy-store>
for examples.
This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.
An owner is a user or another enterprise group. The <type>
subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.
Note:
To create a group owner in Oracle Internet Directory, use the Oracle Delegated Administration Services. For external (third-party) LDAP servers, set values for the group's owner attribute throughldapmodify
or tools of the particular directory server.Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies a set of owners.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.
Required within parent element, one or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies a set of permissions.
The <permissions>
element (used in conjunction with a parallel <grantee>
element) specifies the permissions being granted, through a set of <permission>
subelements.
Note:
Thesystem-jazn-data.xml
schema definition does not specify this as a required element, but the Oracle Platform Security runtime implementation requires its use within any <grant>
element.Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
A permission set or entitlement specifies a set of permissions.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
The following fragment illustrates the configuration of a permission set (or entitlement):
<permission-sets> <permission-set> <name>permsetName</name> <member-resources> <member-resource> <type-name-ref>TaskFlowResourceType</type-name-ref> <resource-name>resource1</resource-name> <actions>customize,view</actions> </member-resource> </member-resources> </permission-set> </permission-sets>
Note the following points about a permission set:
The actions specified in a <member-resource> must match one or more of the actions specified for the resource type that is referenced through <resource-name-ref>.
A <member-resources> can have multiple <member-resource> elements in it.
A permission set must have at least one resource.
Permission sets can be exist without necessarily being referenced in any grants, that is, without granting them to any principal.
In addition, the following strings in a permission set entry conform to the case sensitivity rules:
The name is case insensitive.
The description string is case insensitive.
The display name is case insensitive.
This element specifies a set of permission sets.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
For an example, see <permission-set>.
This element configures application-level policies, through an <applications>
subelement. Under the <applications>
element is an <application>
subelement for each application that is to have application-level policies. The policies are specified through a <jazn-policy>
subelement of each <application>
element.
Note:
The<jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
schema definition as subelements of <policy-store>
, but are for backward compatibility only.Optional, zero or one
<jazn-data> {1} <policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
<jazn-data ... > ... <policy-store> <!-- application policy --> <applications> <application> <name>policyOnly</name> <jazn-policy> ... </jazn-policy> </application> <application> <name>roleOnly</name> <app-roles> <app-role> <name>Fellowship</name> <display-name>Fellowship of the Ring</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> <app-role> <name>King</name> <display-name>Return of the King</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> </app-roles> </application> <application> <app-roles> <app-role> <name>Farm=farm1,name=FullAdministrator</name> <display-name>farm1.FullAdministrator</display-name> <guid>61FD29C0D47E11DABF9BA765378CF9F2</guid> <class> oracle.security.jps.service.policystore.ApplicationRole </class> <members> <member> <class> oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl </class> <name>admin</name> </member> </members> </app-role> </app-roles> <jazn-policy> ... </jazn-policy> </application> ... </applications> </policy-store .... </jazn-data
See <jazn-policy>
for examples of that element.
This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.
Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).
For details about how principal names can be compared, see Section 2.7, "Principal Name Comparison Logic."
<class>
, <guid>
, <name>
, <uniquename>
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies a set of principals.
For policy configuration, a <principals>
element and/or a <codesource>
element are used under a <grantee>
element to specify who or what the permissions in question are being granted to. A <principals>
element specifies a set of principals being granted the permissions.
For a subject to be granted these permissions, the subject should include all the specified principals.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the name of a resource type provider. The resource resides in a location external to the OPSS policy store. Values are case-insensitive.
None
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
For an example, see <resource-type>.
This element specifies a security realm, and the users and roles that belong to the realm.
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
See <jazn-realm>
for an example.
This element specifies an application resource and contains information about the resource.
<name>
, <description>
, <display-name>
, <type-name-ref>.
Required under <resources>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
The following fragment illustrates the configuration of a resource (instance):
<resources> <resource> <name>resource1</name> <display-name>Resource1DisplayName</display-name> <description>Resource1 Description</description> <type-name-ref>TaskFlowResourceType</type-name-ref> </resource> </resources>
Note the following points about case sensitivity of various strings in a resource entry:
The name is case sensitive.
The description string is case insensitive.
The display name is case insensitive.
This element specifies a collection of application resources.
Optional, zero or more
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
For an example, see <resource>.
This element specifies a member resource in a permission set. Values are case-sensitive.
None
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
For an example, see <permission-set>.
This element specifies the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.
<name>
, <display-name>
, <description>
, <actions>
, <actions-delimiter>
, <matcher-class>
, <provider-name>
.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
The following fragment illustrates the configuration of a resource type:
<resource-types> <resource-type> <name>TaskFlowResourceType</name> <display-name>TaskFlowResourceType_disp</display-name> <description>Resource Type for Task Flow</description> <provider-name>resTypeProv</provider-name> <matcher-class> oracle.adf.controller.security.TaskFlowPermission</matcher-class> <actions-delimiter>,</actions-delimiter> <actions>customize,view</actions> </resource-type> </resource-types>
The following points apply to the specification of a resource type:
The name is required and case insensitive.
The provider name is optional and case insensitive. A provider is typically used when there are resources managed in an external store, that is, in a store other than the OPSS domain policy store.
When specified, the class in a <provider-name> element is used as a resource finder; queries for resources of this type (via the ResourceManager
search APIs) delegate to this matcher class instead of using the built-in resource finder against the OPSS domain policy store.
The matcher class name is required and case sensitive.
The description string is optional and case insensitive.
The display name is optional and case insensitive.
The action string is optional and case sensitive. The list of actions in a resource type can be empty. An empty action list indicates that the actions on instances of the resource type are determined externally and are opaque to OPSS.
This element specifies a set of resource types.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
For an example, see <resource-type>.
This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.
<description>
, <display-name>
, <guid>
, <members>
, <name>
, <owners>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for examples.
This element specifies the parent element of <role-category> elements.
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name>
See Section 20.3.3.1, "Using the Method checkPermission" for an example.
This element specifies a category, that is, a flat set of application roles.
<name>, <display-name>, <description>, <members>
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name> <members>
See Section 20.3.3.1, "Using the Method checkPermission" for an example.
This element specifies an application role within a role category.
None
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <members> <role-name-ref>
This element specifies a set of enterprise security roles that belong to a security realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for an example.
This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:
<type>user</type>
Or:
<type>role</type>
None
Required, one only
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for examples.
This element specifies the resource type of a resource.
None
Required within <resource> or <member-resource>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
For an example, see <resource>.
This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal
class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It is typically used with an LDAP provider to uniquely identity the item (an application role member, for example). A unique name is sometimes generated and used internally by Oracle Platform Security.
The unique name for an application role would be: "appid=application_name, name=actual_rolename
". For example:
<principal> <class> oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal </class> <uniquename> APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR" </uniquename> </principal>
<app-role>
, <member>
, or <principal>
None
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
This element specifies the URL of the code that is granted permissions.
Note the following points:
URL values cannot be restricted to a single class.
URL values with ".jar" suffix match the JAR files in the specified directory.
URL values with "/" suffix match all class files (not JAR files) in the specified directory.
URL values with "/*" suffix match all files (both class and JAR files) in the specified directory.
URL values with "/-" suffix match all files (both class and JAR files) in the specified directory and, recursively, all files in subdirectories.
The system variables oracle.deployed.app.dir
and oracle.deployed.app.ext
can be used to specify a URL independent of the platform.
None
Required within parent element, one only
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
The following example illustrates the use of the system variables oracle.deployed.app.dir
and oracle.deployed.app.ext
to specify URLs independent of the server platform.
Suppose an application grant requires a codesource URL that differs with the server platform:
On WebLogic <grant> <grantee> <codesource> <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/myApp/-</url> </codesource> </grantee> <permissions> ... </permissions> </grant> On WebSphere <grant> <grantee> <codesource> <url>file:${user.install.root}/installedApps/${was.cell.name}/myApp/-</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
Then, using the following system variable settings:
On WebLogic -Doracle.deployed.app.dir=${DOMAIN_HOME}/servers/${SERVER_NAME}/tmp/_WL_user -Doracle.deployed.app.ext=/- On WebSphere -Doracle.deployed.app.dir=${USER_INSTALL_ROOT}/installedApps/${CELL} -Doracle.deployed.app.ext=.ear/-
the following specification would work for both platforms, WebLogic and WebSphere:
<grant> <grantee> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
This element specifies a user within a realm.
Name | Description |
---|---|
deactivated |
Specifies whether the user is valid or not.
Set this attribute to Values: Default: |
<name>
, <display-name>
, <description>
, <guid>
, <credentials>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm>
for examples.
This element specifies the set of users belonging to a realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm>
for an example.
This element specifies a value for an attribute. You can specify additional attributes for application-level roles using the <extended-attributes>
element.
None
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
This element specifies a set of values, each of which specify the value of an attribute. An attribute can have more than one value.
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>