Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Entitlements Server
11g Release 1 (11.1.1)
  Go To Documentation Library
Go To Product List
Go To Table Of Contents
Go To Index


2 Constructing A Policy Programmatically

Oracle Entitlements Server contains Java application programming interfaces (API) for creating policy objects programmatically. This chapter contains information on how to create these various policy objects using the API. It contains the following sections:

2.1 Using the Java API

The Oracle Entitlements Server Java API can be used to construct, manage (read, modify, delete) and search for the policy objects discussed in Chapter 1, "Using the Policy Model." Policy definitions are constructed from these policy objects. A policy object is generally any interface that ends in Entry. The package comprises most of the policy objects including (but not limited to) the PolicyEntry, AppRoleEntry, and PermissionSetEntry. The package comprises the ResourceEntry, ResourceTypeEntry and the ResourceActionsEntry. To construct or manage a policy object, you must:

  1. Get a handle to the policy store.

  2. Retrieve the application policy under which the object will be (or has been) created.

    This may or may not entail the retrieval of a policy domain. See Chapter 5, "Delegating Policy Administration" for more information.

  3. Retrieve an instance of the appropriate entity manager interface.

    A policy object is constructed and managed using an entity manager. The package comprises all interfaces including (but not limited to) the ResourceManager, PolicyManager, AppRoleManager, and PermissionSetManager.

The following list documents more specifically how the API can be used to perform specific operations on policy objects.

Table 2-2 Available Comparison Operators by Data Type

Expression Data Type Available Comparison Operator


STRING_EQUAL (supported when comparing multi-value attributes only)




BOOLEAN_EQUAL (supported when comparing multi-value attributes only)


DATE_EQUAL (supported when comparing multi-value attributes only)








INTEGER_EQUAL (supported when comparing multi-value attributes only)








TIME_EQUAL (supported when comparing multi-value attributes only)











For detailed information on the Oracle Entitlements Server Java API, see one or both of the Java API Reference guides.

2.2 Executing A Simple Policy

Executing the simple policy procedure documented in Section 1.2, "Composing A Simple Policy" requires that the objects be created in a particular order. For example, a ResourceEntry object can only be created after defining a ResourceType object. The following sections are listed in the correct order for executing a simple policy programmatically.


Before creating any policy objects, you should determine the overall organizational structure of the policy model components; for example, it may be beneficial to implement only one ApplicationPolicy object and, within that parent, delegate policies in multiple PolicyDomainEntry objects. For more information, see Section 5.7, "Delegating with a Policy Domain."

2.2.1 Accessing the Policy Store

Any policy management activity must be preceded by retrieving an instance of the PolicyStore object. The following procedure shows how the PolicyStore object is retrieved using interfaces in the package. Smith is specified as the user with the administrative rights to manage the policies.


Errors will be returned for any methods the user is not authorized to call.

  1. Retrieve an instance of PolicyStore.

    JpsContextFactory ctxFact = JpsContextFactory.getContextFactory(); 
    JpsContext ctx = ctxFact.getContext(); 
    PolicyStore ps = ctx.getServiceInstance(PolicyStore.class); 
    if (ps == null) {  
        // if no policy store instance configured in jps-config.xml  
        System.out.println(“no policy store instance configured”);  

    JpsContext declares a collection of service instances common to a particular domain in the file that configures Oracle Platform Security Services (OPSS), jps-config.xml. If there is more than one JpsContext defined in the jps-config.xml, the policy store specified in the default JpsContext will be returned. You can also get a particular JpsContext by name. See the Oracle Fusion Middleware Security Guide for more information on this configuration file. Parameters specific to Oracle Entitlements Server are documented in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.


    • If no policy store instance is configured, getServiceInstance() will return null.

    • If a connection is not established, getServiceInstance() throws javax.persistence.PersistenceException.

    • If the PolicyStore object was already retrieved but the connection went down, any operations within the policy store will lead to a PolicyStoreException. If the backend is down, resume operations once the backup is available. High availability for backend stores is also possible.

  2. Specify the administrative user.

    Subject smith = new Subject(); 
    Principal principal = new WLSUserImpl("smith"); 
    BindingPolicyStore ps = BindingPolicyStoreFactory.getInstance();ps.setSubject(smith);

    It is assumed the user is already authenticated.

2.2.2 Creating an Application Policy

An ApplicationPolicy object is a container for all objects needed to define secure access to a particular application. An ApplicationPolicy object should be created for each target to be secured. You may create as many as needed. Once created, the ApplicationPolicy is represented by the ApplicationPolicy interface which contains the programmatic managers needed to create resources, policies and other security objects used to define the application's access requirements. These security objects comprise those defined in Chapter 1, "Using the Policy Model."


The ApplicationPolicy object is represented in the Oracle Entitlements Server Administration Console as an Application.

You can create, delete and retrieve ApplicationPolicy objects with the methods found in the PolicyStore interface. Example 2-1 illustrates how to create an ApplicationPolicy object using the createApplicationPolicy() method.

Example 2-1 Using createApplicationPolicy() Method

ApplicationPolicy ap = ps.createApplicationPolicy("Trading", "Trading 
 Application","Trading Application."); 

The values of the createApplicationPolicy() parameters are defined as:

  • Name - Trading is a unique identifier for the ApplicationPolicy object.

  • Display Name - Trading Application is an optional, human-readable name for the ApplicationPolicy object.

  • Description - Trading Application. is optional information describing the ApplicationPolicy object.


Deleting an ApplicationPolicy object deletes all child objects created within it.

2.2.3 Defining Resource Types

A ResourceTypeEntry object specifies the full scope of traits for a particular kind of protected resource. It contains resource attributes and definitions of all possible valid actions that can be performed on the protected resource. From the higher level ResourceTypeEntry object (associated with an ApplicationPolicy object), you instantiate a specific Resource object to represent an actual, secured target. Thus, the ResourceTypeEntry must include the full range of actions that may be granted or denied on any Resource instance of this type. The actions added to a ResourceTypeEntry can be standard actions (GET and POST to a URL) or a custom action on a business object (transfer to or from a bank account).


The ResourceTypeEntry object is represented in the Oracle Entitlements Server Administration Console as a Resource Type.

To create, delete, retrieve or modify a ResourceTypeEntry, obtain an instance of the ResourceTypeManager. Example 2-2 creates a ResourceTypeEntry named TradingResType within the TradingApp ApplicationPolicy object. TradingResType has two permissible actions (BUY and SELL) and an attribute named ManagerType .

Example 2-2 Using the createResourceType() Method

ResourceTypeManager resourceTypeManager = Trading.getResourceTypeManager();
List<String> actions = new ArrayList();
List<AttributeEntry<? extends DataType>> attributes = new ArrayList<AttributeEntry<? extends DataType>>();
ResourceTypeEntry resType = rtm.createResourceType
  ("TradingResType", "Trading ResType", "Trading Resource Type", 
    actions, attributes, ",", null);

TradingApp is the name of the ApplicationPolicy object from which the ResourceTypeManager is being retrieved. The values of the createResourceType() parameters are defined as:

  • Name - TradingResType is a unique identifier for the ResourceTypeEntry.

  • Display Name - Trading ResType is an optional, human-readable name for the ResourceTypeEntry.

  • Description - Trading Resource Type is optional information describing the ResourceTypeEntry.

  • Actions - actions is the name of an ordered collection (list) of all valid actions on the ResourceTypeEntry - in this case, GET. Use the setAllAction() method to set a default action keyword.

  • Attributes - attributes specifies a listing of all valid attributes for the ResourceTypeEntry. If there are duplicate ones, they will be handled as one. To define one or more attributes, create them with the createAttribute() method in the ExtensionManager and reference them here. See Section 2.3.3, "Creating Attribute and Function Definitions" for more information. Attributes can also be null.

  • Delimiter - / (forward slash) is the default delimeter for the actions. Use the setResourceNameDelimiter() method to set a different delimiter. The delimiter is passed to the method as a ResourceTypeEntry.ResourceNameDelimiter enum.

  • Resource Matcher Class - null signifies there is no resource permission matcher class used for target and action matching. To set an implementation of the Java Permission class, assign the class name as the matcher class. In this case, the list of actions supplied under Actions are validated at runtime by the implementation.

ResourceTypeEntry objects can also be defined as hierarchical by invoking the object's setHierarchicalResource() method. By passing true to the isHierarchical parameter, the ResourceTypeEntry will be set as hierarchical. A hierarchical ResourceTypeEntry can then be used to instantiate a ResourceEntry in which the following applies.

  1. A policy applicable to a ResourceEntry created from a hierarchical ResourceTypeEntry is also applicable to any ResourceEntry objects that are its children.

  2. Any attribute defined for a ResourceEntry created from a hierarchical ResourceTypeEntry is inherited by any ResourceEntry objects that are its children.

The isHierarchicalResource() method can be used to determine whether a ResourceTypeEntry has been set as hierarchical. Additional information is noted in Section 2.2.4, "Instantiating a Resource."

2.2.4 Instantiating a Resource

A ResourceEntry object represents a specific, secured target in a protected application. It can represent software components managed by a container (URLs, EJBs, JSPs) or business objects in an application (reports, transactions, revenue charts). See the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server for more information on software components and business objects.


The ResourceEntry object is represented in the Oracle Entitlements Server Administration Console as a Resource.

To create a ResourceEntry object, obtain an instance of the ResourceManager using the getResourceManager() method in the applicable ApplicationPolicy or PolicyDomainEntry. Following that, use the createResource() method to create the object.


A ResourceEntry object is defined as an instance of a ResourceType object. Be sure the appropriate ResourceType is defined before attempting to create a ResourceEntry instance. For more information, see Section 2.2.3, "Defining Resource Types."

Example 2-3 creates a checking account ResourceEntry. Trading refers to the ApplicationPolicy object from which the ResourceManager is being retrieved.

Example 2-3 Using createResource() Method

ResourceManager resMgr = Trading.getResourceManager();
ResourceEntry checkingRes = resMgr.createResource("Bob_checking1", 
 "Bob Checking Account", "Checking account.", resType, null);

The values of the createResource() parameters are defined as:

  • Name - Bob_checking1 is the unique identifier for the ResourceEntry.

  • Display Name - Bob Checking Account is an optional, human-readable name for the ResourceEntry.

  • Description - Checking account. is optional information describing the ResourceEntry.

  • Type - resType is the ResourceTypeEntry object from which the resource will be instantiated.

  • Attributes - null specifies that there are no (optional) attributes being configured for this ResourceEntry. To define one or more attributes, create them with the createAttribute() method in the ExtensionManager and reference them here (instead of null).

Once a ResourceEntry is created, it can be paired with actions in a ResourceActionsEntry or included in a PermissionSetEntry. For more information, see Section 2.3.4, "Defining Permission Sets."


As noted in Section 2.2.3, "Defining Resource Types," hierarchical ResourceEntry objects can be instantiated from ResourceTypeEntry objects. When instantiating a hierarchical ResourceEntry object:

  • The name of the ResourceEntry must start with a delimiter. For example, if the delimiter is /, a valid name is /region/East.

  • All parent resources must already be created. For example, a resource /region/East/NY can only be created if both /region and /region/East have already been created.

2.2.5 Associating Actions with the Resource

A ResourceActionsEntry object associates a Resource instance with a set of actions that can be performed on it. The Resource instance is specified as either a static ResourceEntry or a dynamic ResourceNameExpression.


A ResourceActionsEntry is not a named object that is independently managed. It is just an association.

The following sections have more information. Using a ResourceEntry

The procedure to instantiate a ResourceEntry is explained in Section 2.2.4, "Instantiating a Resource." After instantiating a ResourceEntry, build a ResourceActionsEntry object to define the actions that can be performed on the resource. The set of actions are defined in a list using a subset of the legal actions defined in the Resource's corresponding ResourceTypeEntry. Example 2-4 builds a list that defines the association (resActsList) between the ResourceEntry and its actions using the ResourceActionsEntry interface. This example creates a checking account ResourceEntry and associates the checking account with the ability to read it or modify it.

Example 2-4 Building a ResourceActionsEntry with ResourceEntry

ResourceEntry checkingRes = resMgr.createResource("Bob_checking1", 
 "Bob Checking Account", "Checking account.",resType, null); 
List<String> actions = new ArrayList<String>(); 
List<ResourceActionsEntry> resActsList = new 
resActsList.add(new BasicResourceActionsEntry(Checking, <actions>));

Bob_checking1 is the ResourceEntry. The List defines the applicable actions for Bob_checking1 that will be governed by this ResourceActionsEntry object: read and write. The allowable actions are culled from the parent ResourceTypeEntry. Using a ResourceNameExpression

Instead of using a ResourceEntry, a ResourceNameExpression can be specified. A ResourceNameExpression contains a defined ResourceTypeEntry and a Java regular expression, expressed as a string. The string is used to match the ResourceEntry instance at runtime. For example, assume the policy data in Table 2-3 has been defined. RAE1 and RAE2 are defined with specific ResourceEntry objects, ResType1 and ResType2. RAE3 is defined with a ResourceNameExpression; during the runtime evaluation of Policy3, http://* is used to match the ResourceEntry and returns ResType1, the ResourceEntry for an HTTP URL.

Table 2-3 Matching ResourceNameExpression Objects

ResourceEntry ResourceActionsEntry Policies

ResType1 (HTTP URL)

RAE1 with ResType1 ResourceEntry and action GET

Policy1 with RAE1

ResType2 (HTTPS URL)

RAE2 with ResType2 ResourceEntry and action GET

Policy2 with RAE2

RAE3 with ResType1 ResourceNameExpression http://* and action GET

Policy3 with RAE3

Example 2-5 illustrates how to build a ResourceActionsEntry with a ResourceNameExpression.

Example 2-5 Building a ResourceActionsEntry with ResourceNameExpression

// create one ResourceActionEntry
ResourceNameExpression resExpression = new ResourceNameExpression
  (resTypeName, resNameExp);
ResourceActionsEntry resActionsEntry = new BasicResourceActionsEntry
  (resExpression, actions);
List<ResourceActionsEntry> resActionsList = 
   new ArrayList<ResourceActionsEntry>();

Table 2-4 has examples of the ResourceNameExpression. While any regular expression can be used, the pattern expressions listed in the table are processed faster then regular expresisons.

Table 2-4 Examples of ResourceNameExpression

Expression Description

Specific to Resource Type

To specify any action type, use the keyword specific to the Resource Type.

resActsList.add(new BasicResourceActionsEntry(checkingRes,"any"));


To specify all resources

resActsList.add(new BasicResourceActionsEntry(".*", actions));


To specify all resources beginning with http.

resActsList.add(new BasicResourceActionsEntry("http.*", actions));


To specify all resources ending in html.

ResourceActionsEntry suffixResActions = new BasicResourceActionsEntry(".*html", actions);

You may also populate a Permission Set with one or more ResourceActionsEntry objects. See Section 2.3.4, "Defining Permission Sets" for more information.

2.2.6 Specifying a Policy Rule

A PolicyRuleEntry defines an Effect (and optionally a Condition). An Effect specifies the possible outcomes of the policy rule. Effects in Oracle Entitlements Server are GRANT or DENY. When the policy rule is evaluated (coupled with information regarding a principal and a target ResourceEntry), the rights of the subject in terms of the ResourceEntry are determined. All policies must contain one (and only one) Policy Rule. Example 2-6 illustrates how to create a PolicyRuleEntry object named myRule programmatically using the BasicPolicyRuleEntry implementation.

Example 2-6 Create a PolicyRuleEntry

PolicyRuleEntry myRule = new BasicPolicyRuleEntry
 ("ReportRule", "Report Policy Rule", "Rule for Reports policy.", 
 PolicyRuleEntry.EffectType.GRANT, myCondition);

The values of the parameters are defined as:

  • Name - ReportRule is a unique identifier for the policy rule.

  • Display Name - Report Policy Rule is an optional, human-readable name for the policy rule.

  • Description - Rule for Reports policy is optional information describing the policy rule.

  • PolicyRuleEntry.EffectType - takes a value of GRANT based on the desired outcome. The PolicyRuleEntry.EffectType enum defines the available effect types for Oracle Entitlements Server. The constants are GRANT or DENY.

  • Condition - myCondition is the name of the optional Condition used by this policy rule. The Condition is a BooleanExpressionEntry which represents an Expression that returns a boolean value. See Section 2.3.5, "Defining a Condition" for more information.

2.2.7 Specifying the Principal

A PrincipalEntry specifies the users, groups, or roles to which the policy pertains. Table 2-5 illustrates these types and how each can be specified programmatically.

Table 2-5 Specifying a Principal Programmatically

Principal Type Example


Specify the class name of the user principal validation provider ( and the user name. The following example defines a user named smith.

PrincipalEntry aUser = new BasicPrincipalEntry
 ("", "smith");
List<PrincipalEntry> myPrincipal = new
 ArrayList<PrincipalEntry>(); myPrincipal.add(aUser);


Specify the class name of the group principal validation provider ( and the group name. The following example defines a group named Acme.

PrincipalEntry aGroup = new BasicPrincipalEntry
 ("", "Acme");
List<PrincipalEntry> myPrincipal = new
 ArrayList<PrincipalEntry>(); myPrincipal.add(aGroup);


Retrieve the tRole Application Role and add it to the PrincipalEntry.

AppRoleEntry aRole = 
List<PrincipalEntry> principal = 
  new ArrayList<PrincipalEntry>(); 

See Section 2.3.1, "Creating Application Roles" for more information.

Anonymous Role

Add anonymous as a principal to policies that allow access to anonymous users.

PrincipalEntry anonymous = new AnonymousRoleEntry();
List<PrincipalEntry> principals = new  

Authenticated Role

Add authenticated as a principal to policies that allow access to authenticated users.

PrincipalEntry authenticated = new AuthenticatedRoleEntry();
List<PrincipalEntry> principals = new

When a policy's subject is multiple groups and/or roles, that policy applies to a user based on the principal semantic defined. Options include:

  • PRINCIPAL_AND_SEMANTIC defines a policy that applies to a user if the user matches ALL groups or roles listed as the principal. For example, if a list of principals contains two roles, the user must be member of both roles for the policy to apply.

  • PRINCIPAL_OR_SEMANTIC defines a policy that applies to a user if the user matches AT LEAST one of the groups or roles listed as the principal. For example, if a list of principals contains two roles, the user can be a member of ONLY one of these roles for the policy to apply.

2.2.8 Defining the Policy

A Policy specifies the access rights that specific principals have on specific resources. Basically, it consolidates all the pieces needed to create the access control - including, but not limited to, a PolicyRuleEntry, a ResourceActionsEntry, and a PrincipalEntry.

A Policy is programmatically represented as a PolicyEntry object. To create a PolicyEntry object, obtain an instance of the PolicyManager using the getPolicyManager() method. Following that, use the createPolicy() method to create the object. Example 2-7 creates a policy named myPolicy.

Example 2-7 Using createPolicy() Example

PolicyManager policyMgr = domain.getPolicyManager();
List<PermissionSetEntry> permSets = new ArrayList<PermissionSetEntry>();
List<PrincipalEntry> principals = new ArrayList<PrincipalEntry>();
principals.add(new BasicPrincipalEntry(WLSUserImpl.class.getCanonicalName(), "john"));
PolicyEntry myPolicy = policyManager.createPolicy
 ("BankPolicy", "Bank policy", "Policy for bank.", myRule, 
 permSets, principals, null, obligations, PolicyEntry.POLICY_SEMANTIC.AND); 

domain refers to the Policy Domain under which the policy is being created. The values of the createPolicy() parameters are defined as:

  • Name - Bank Policy is a unique identifier for the PolicyEntry.

  • Display Name - Bank policy is an optional, human-readable name for the PolicyEntry.

  • Description - Policy for bank. is optional information describing the PolicyEntry.

  • Policy Rule - myrule is the PolicyRuleEntry object.

  • PermissionSetEntry - permSets is an ordered collection (list) of PermissionSetEntry objects. See Section 2.3.4, "Defining Permission Sets" for more information.

  • Principal - principals is an ordered collection (list) of PrincipalEntry objects defined as the subject of this policy.

  • ResourceActionsEntry - A list of ResourceActionsEntry objects can also be defined. If the list of PermissionSetEntry objects is null, this list should contain at least one valid element.

  • Obligations - A list of ObligationEntry objects may be used. See Section 2.3.6, "Adding Obligations" for more information.

  • policySemantic - describes how principals specified in the policy should be handled. The PolicyEntry.POLICY_SEMANTIC enum defines the available constants as AND or OR.

    • PolicyEntry.POLICY_SEMANTIC.AND applies to a user if the user matches all principals listed in the policy. For example, if a list of principals contains two roles, the user must be a member of both roles for the policy to apply.

    • PolicyEntry.POLICY_SEMANTIC.OR applies to a user if the user matches at least one of the principals listed in the policy. For example, if list of principals contains two roles, the user can be a member of at least one of these roles for the policy to apply.

2.3 Creating Fine Grained Elements for a Simple Policy

Section 2.2, "Executing A Simple Policy" documented how to create the minimum components needed to define a policy. The following sections contain information on how to add the advanced policy elements discussed in Section 1.3, "Adding Fine Grained Objects to a Simple Policy" to a simple policy.

2.3.1 Creating Application Roles

An AppRoleEntry object is associated with an ApplicationPolicy to group access rights that can then be distributed to users who are granted the role. Once an AppRoleEntry is defined, the grantAppRole method can be used to assign the role to a subject statically or a Role Mapping Policy can be created to assign it to subjects dynamically. (An Authorization Policy is used to define the role's access rights.)


See Section 2.3.2, "Creating Role Mapping Policies" for more information.

The following can be added as members to an AppRoleEntry:

  • Enterprise users from an identity store

  • Enterprise roles from an identity store

  • Other Application Roles in a policy store


The AppRoleEntry object is represented in the Oracle Entitlements Server Administration Console as an Application Role. Application Roles are consolidated under the Role Catalog branch of the Administration Console navigation tree.

When an Application Role is specified as a principal for a particular policy, all users assigned to the role are governed by that policy. All ApplicationPolicy containers have two implicit Application Roles:

  • Anonymous Role — implicitly assigned to all unauthenticated users.

  • Authenticated Role — implicitly assigned to all authenticated users.

To create an AppRoleEntry, get an instance of AppRoleManager from within the ApplicationPolicy object where the Application Role will be created and use the createAppRole() method. Example 2-8 shows the creation of an AppRoleEntry named TraderRole.

Example 2-8 Creating an Application Role

AppRoleManager roleMgr = bankApplication.getAppRoleManager(); 
AppRoleEntry traderRole = roleMgr.createAppRole("TraderRole", 
 "Trader Role", "Trader role"); 

bankApplication defines the ApplicationPolicy object for which we are retrieving the AppRoleManager. The values of the createAppRole() parameters are defined as:

  • Name - TraderRole is a unique identifier for the AppRoleEntry object.

  • Display Name - Trader Role is an optional, human-readable name for the AppRoleEntry object.

  • Description - Trader Role is optional information describing the AppRoleEntry object.

To assign a Principal to an AppRoleEntry object, build a PrincipalEntry list containing the appropriate users or groups. Use grantAppRole() to assign the role to the principals in the list. Example 2-9 shows the creation and assignment of user JSMITH to the TraderRole.

Example 2-9 Assigning Principals to an Application Role

//create user named JSMITH PrincipalEntry aUser = new
BasicPrincipalEntry("", "JSMITH");

//Add user to principals list
List<PrincipalEntry> principal = new ArrayList<PrincipalEntry>();

//assign user to role.
roleMgr.grantAppRole(traderRole, principal);

The values of the grantAppRole() parameters are defined as:

  • Name - TraderRole is the name of the AppRoleEntry object to which the user is being assigned.

  • Principal - principal is the name of the list which contains the user being added.

Application Role hierarchies can be built by assigning Application Roles as members of other Application Roles. A policy that applies to an Application Role also applies to all Application Roles that have been assigned to it as members. Example 2-10 illustrates how the TraderManagers role is assigned as a member of the AllManagers role. Thus, all policies that apply to members of the AllManagers role also apply to all members of the TraderManagers role.

Example 2-10 Applying Application Role Hierarchies

//create AllManagers and TraderManagers roles 
AppRoleEntry allManagers = roleMgr.createAppRole("AllManagers", 
 "AllManagers Role","Role for all managers."); 
AppRoleEntry traderManagers = roleMgr.createAppRole(“TraderManagers", 
 "TraderManagers Role", "Role for Trader managers."); 

//add TraderManagers to a principals list 
List<PrincipalEntry> principal = new ArrayList<PrincipalEntry>(); 

//add TraderManagers role as principal of AllManagers role 
roleMgr.grantAppRole(allManagers, principal); 

2.3.2 Creating Role Mapping Policies

A Role Mapping Policy is created at the ApplicationPolicy level - the same level at which the Application Role is defined. A RolePolicyEntry object represents a Role Mapping Policy. It provides the methods to define a policy that will determine if a user or group is granted or denied an Application Role.


The RolePolicyEntry object is represented in the Oracle Entitlements Server Administration Console as a Role Mapping Policy, organized within the Role Catalog.

To create a RolePolicyEntry object, obtain an instance of the RolePolicyManager using the getRolePolicyManager() method in the applicable ApplicationPolicy. Following that, use the createRolePolicy() method to create the object.

Example 2-11 Using the createRolePolicy() Method

//get the RolePolicyManager 
RolePolicyManager roleMapPolicyManager = TellerApp.getRolePolicyManager(); 

List<AppRoleEntry> appRoles = new ArrayList<AppRoleEntry>();
List<PrincipalEntry> principals = new ArrayList<PrincipalEntry>();
principals.add(new BasicPrincipalEntry(WLSUserImpl.class.getCanonicalName(), "john"));
PolicyRuleEntry rule = new BasicRuleEntry("rule", "rule for role policy", "rule for role policy", EffectType.GRANT, null);
List<ResourceEntry> resources = new ArrayList<ResourceEntry>();

//create the RolePolicyEntry 
RolePolicyEntry rolepolicy = roleMapPolicyManager.createRolePolicy
 ("TellerRoleMapping", "Teller Role Mapping", "Teller Role Mapping Policy",
  appRoles, principals, rule, resources, null); 

TellerApp is the name of the ApplicationPolicy object from which the RolePolicyManager is being retrieved. The values of the createRolePolicyEntry() parameters are defined as:

  • Name - TellerRoleMapping is a unique identifier for the RolePolicyEntry.

  • Display Name - Teller Role Mapping is an optional, human-readable name for the RolePolicyEntry.

  • Description - Teller Role Mapping Policy is optional information describing the ResourceTypeEntry.

  • Application Roles List - appRoles is an ordered collection (list) of all application roles to grant (or deny) on evaluation of the RolePolicyEntry.

  • Principals List - principals is a collection (list) of PrincipalEntry objects to map to the Application Roles. This value cannot be an ApplicationRole or an Administration Role, and the list cannot be empty.


    Role Mapping Policies use only the OR semantic. See Section 2.2.7, "Specifying the Principal" for more information.

  • Policy Rule - rule is the PolicyRuleEntry object that defines a Condition for the Role Mapping Policy. A value is required.


    Conditions in Role Mapping Policies provide the same functionality as conditions in Authorization Policies.

  • Resource Names - resources is a list of ResourceEntry objects to associate with the Role Mapping Policy. It is an optional parameter for which you can supply null or an empty list. This parameter also allows scoping the Role Mapping Policy to a particular resource(s).

  • Resource Name Expressions - This value can contain a list of resource name expressions to associate with the Role Mapping Policy. It is an optional parameter for which you can supply null (as in this example) or an empty list. This parameter also allows scoping the Role Mapping Policy to a particular resource(s).

2.3.3 Creating Attribute and Function Definitions

An attribute or function definition is metadata that describes a specific attribute or function. Among other information, it defines the name of the attribute or function, the type of data the attribute takes, or the function returns, as a value and whether said value is single or multiple. The metadata informs Oracle Entitlements Server how to deal with the particular attribute or function that is being defined.Attribute and function definitions can be used in a Condition or an Obligation. In regards to a Condition, attribute and function definitions can be used to make an optional expression that can be added to a policy to further restrict access to the protected resource. In regards to an Obligation, this optional set of name-value pairs returns additional information, with a policy decision, to the Policy Enforcement Point (PEP). There are two ways to define an Obligation:

  • Statically where an attribute with an absolute value is returned.

  • Dynamically where an attribute value, or a custom function, is evaluated at runtime and the output is returned.

Attribute and function definitions are managed at the ApplicationPolicy level. Pre-defined definitions can be used (RuleExpressionEntry.BuiltInAttributes and RuleExpressionEntry.BuiltInFunctions) or you can define new ones to suit your requirements using the ExtensionManager. More information can be found in the following sections. Creating Attribute Definitions

An AttributeEntry object can be a value dynamically defined at runtime (for example, the locality of the user) or a value based on the type of protected resource (for example, creation date of a text file). During policy evaluation, attribute values can be passed in by the application or Oracle Entitlements Server can retrieve it using a custom attribute retriever.


Dynamic attribute definitions are managed as a child object of the ApplicationPolicy so that they may be used in policies within different Policy Domains. See Chapter 5, "Delegating Policy Administration" for information on Policy Domains.

To create an attribute definition, get an instance of the ExtensionManager and use the createAttribute() method. Example 2-12 creates an attribute definition named myAttr.

Example 2-12 Creating a Dynamic Attribute Definition

//get the ExtensionManager 
ExtensionManager xMgr = bankApplication.getExtensionManager(); 

//create the dynamic attribute 
AttributeEntry<OpssString> attr = xMgr.createAttribute
 ("min_age", "minimum age", "minimum age of subject.", OpssString.class,
  AttributeEntry.AttributeCategory.DYNAMIC, true); 

bankApplication refers to the ApplicationPolicy object under which the extension is being created. The values of the createAttribute() parameters are defined as:

  • Name - min_age is a unique identifier for the attribute.

  • Display Name - minimum age is an optional, human-readable name for the attribute.

  • Description - minimum age of subject. is optional information describing the attribute.

  • Data Type - OpssString.class is the attribute's data type; in this case, a string. This parameter takes a value of any of the sub classes of the class.


    attr.setValue(new OpssString("John")) is a line of code that would set the value of the string as John.

  • Category - AttributeEntry.AttributeCategory.DYNAMIC defines the attribute as dynamic. This can be DYNAMIC or RESOURCE. The value of a dynamic attribute is passed with the authorization request or retrieved by the Policy Decision Point. The value of a resource attribute is defined by the resource instance.

  • isSingleValue - true indicates that the attribute takes a single value. A value of false would indicate multiple values. Creating Custom Function Definitions

A Custom Function represents some externally implemented logic that is used to generate an output which is then returned to the PDP; the value is then used in a Condition. Example 2-13 illustrates how to create a custom function by retrieving the ApplicationPolicy under which the function will be created and getting an instance of the ExtensionManager.

Example 2-13 Creating a Custom Function Definition

ApplicationPolicy ap = ps.getApplicationPolicy("MyAppPolicy"); 
ExtensionManager xMgr = ap.getExtensionManager(); 
FunctionEntry func = xMgr.createFunction("myFunc", 
  "Credit Standing Function", "Returns credit standing.",
  "acme.demo.CreditStanding", OpssBoolean.class, params);

MyAppPolicy is the identifier for the ApplicationPolicy object under which the function is being created. The values of the createFunction() method parameters are defined as:

  • Name - myFunc is a unique identifier for the FunctionEntry.

  • Display Name - Credit Standing Function is an optional, human-readable name for the FunctionEntry.

  • Description - Returns credit standing. is optional information describing the FunctionEntry.

  • Class Name - acme.demo.CreditStanding is the fully-qualified name of the class implementing the FunctionEntry.

  • Return Data Type - Any sub class of the class which is a super class comprised of all data types supported by the policy store (OpssBoolean, OpssDate, OpssInteger, OpssString, OpssTime).

  • Input Data Type - params denotes the input data type for the function. It is one of the sub classes of the class which is a super class comprised of all data types supported by the policy store (OpssBoolean, OpssDate, OpssInteger, OpssString, OpssTime).

For more information, see Section 2.3.5, "Defining a Condition" and Section 7.2, "Developing Custom Functions."

2.3.4 Defining Permission Sets

As documented in Section 1.2, "Composing A Simple Policy," a PermissionSetEntry object is used to aggregate one or more ResourceActionsEntry objects. A ResourceActionsEntry object is a pairing of the resource being secured with the action(s) that the policy will allow or deny on it. (See Section 2.2.5, "Associating Actions with the Resource" for more information on ResourceActionsEntry objects.) With the PermissionSetEntry, you can bundle ResourceActionsEntry objects as needed. This is a construct that can be used instead of the standard RBAC role aggregations.


The PermissionSetEntry object is represented in the Oracle Entitlements Server Administration Console as an Entitlement.

Example 2-14 illustrates how to create a PermissionSetEntry object. It includes the code for creating a ResourceEntry and ResourceActionsEntry. domain is the name of the Policy Domain from which the instance of the PermissionSetManager is retrieved.

Example 2-14 Building a PermissionSetEntry

//get the PermissionSetManager 
PermissionSetManager psMgr = domain.getPermissionSetManager();

//create a ResourceEntry and ResourceActionsEntry
ResourceManager resMgr = domain.getResourceManager();
ResourceEntry checkingRes = resMgr.createResource("Bob_checking1", 
 "Bob Checking Account", "Checking account.", type, null);
List<String> actions = new ArrayList<String>(); 
List<ResourceActionsEntry> resActsList = new 
resActsList.add(new BasicResourceActionsEntry(Checking, <actions>));

//create a PermissionSetEntry
PermissionSetEntry permSet = 
 permSetManager.createPermissionSet("RptsPermSet", "Reports Permission Set", 
 "Permission set for Reports policy.", resActsList);

The values of the createPermissionSet() parameters are defined as:

  • Name - RptsPermSet is a unique identifier for the PermissionSetEntry object.

  • Display Name - Reports Permission Set is an optional, human-readable name for the PermissionSetEntry object.

  • Description - Permission set for Report policy. is optional information describing the PermissionSetEntry object.

  • ResourceActionsEntry - resActsList is the ResourceActionsEntry being associated with this PermissionSetEntry object.

2.3.5 Defining a Condition

An optional Condition in a policy rule can be used to set additional requirements on a decision returned in response to a request for access. For example, a Condition can be used to grant access to a resource only on the condition that the request was issued from a specific location or at a specific time. A Condition is written in the form of an expression that resolves to either true or false. If the expression resolves to true, the condition is satisfied and the policy is applicable. If the expression does not resolve to true, the policy is not applicable.


Conditions in Role Mapping Policies provide the same functionality, and take the same format, as Conditions in Authorization Policies.

A Condition is defined in a PolicyRuleEntry as discussed in Section 2.2.6, "Specifying a Policy Rule." It is an expression built using attributes or functions that can (optionally) be added to the policy rule to further restrict it. The expression is evaluated using dynamic or resource attribute values, or values returned from component functions.

A Condition must return true or false so the expression can only return true or false; thus, it must be defined in a BooleanExpressionEntry. The BooleanExpressionEntry may:

  • Have an unlimited number of ExpressionComponent objects.

    An expression object has a function and one or more arguments of the type ExpressionComponent. The ExpressionComponent interface represents any entity that can appear as part of the expression.


    the order in which components are added to an expression must be the same order in which the parameters appear in the input parameter list. For example, if a function needs (OpssString, OpssTime, OpssInteger), the expression must be constructed as:

    ex.addExpressionComponent(<string param>);
    ex.addExpressionComponent(<time param>);
    ex.addExpressionComponent(<integer param>);

    The following objects are of the type ExpressionComponent:

  • Nest ExpressionComponent objects.

  • Use predefined or custom functions with boolean or non-boolean return types.

  • Use predefined or dynamic attributes as function input:

    • A dynamic attribute is one whose value is obtained at evaluation time.

    • A predefined attribute is one whose value is not related to the subject, resource, action of the policy or rule; for example, the time of day.

    • A literal value (defined as an ExpressionComponent) that is of any currently supported data type: Boolean, Date, Integer, String and Time.

  • Compare the boolean values returned from two or more expressions using the AND or OR operators.

Example 2-15 illustrates how to define a Condition using the BooleanExpressionEntry class to specify the expression and (optional) parameters.

Example 2-15 Defining a BooleanExpressionEntry

BooleanExpressionEntry bexp = 
  new BooleanExressionEntry(expression)

The BooleanExpressionEntry parameter has:

  • A FunctionEntry for a built-in function, or a custom function obtained using the ExtensionManager.

  • Zero or more ExpressionComponent objects. An ExpressionComponent is an interface implemented by Class<? extends DataType>, ValueCollection, AttributeEntry and Expression. The following objects can be used to build an Expression: OpssBoolean, OpssDate, OpssInteger, OpssString, OpssTime, ValueCollection, all classes that implement the AttributeEntry interface, or an Expression itself (nesting). It represents a simple condition such as string1 = string2 or a more complex condition such as (((checking_balance + savings_balance) > 10000) AND (customFunc_checkCustomerType(user_name, “GOLD”)).

From a high level, a developer must take the following steps to define a Condition as a BooleanExpressionEntry. This procedure assumes the logic detailing the process has been defined; in this example, assume a banking policy is applicable only to users who are GOLD members with a combined savings and checking balance of $10,000.

  1. Isolate the individual components of the logic for which AttributeEntry objects will be defined; in this example, an attribute that defines a combined savings and checking balance (to compare with $10,000) and one that defines the type of customer (to compare with GOLD).

  2. Identify functions implicit in each component for which FunctionEntry objects will be defined; in this example, there is one function that creates a combined balance (saving_balance + checking_balance > 10000) and one that checks for the customer type (customFunc_checkCustomerType(username, “GOLD”)).

  3. Build ExpressionComponent objects one by one, identifying them as functions and parameters; in this example, expressions are nested and use the AND operator.

    • integer_add(saving_balance, check_balance)

    • integer_greater_than(integer_add
      (saving_balance, check_balance), 10000)

    • customFunc_checkCustomerType(username, “GOLD”)

    • and(integer_greater_than(integer_add
      (saving_balance, check_balance), 10000,
      customFunc_checkCustomerType(username, “GOLD”))

  4. Build the BooleanExpressionEntry using the ExpressionComponent objects. The preferred way to generate a boolean expression is illustrated in Example 2-16.

    Example 2-16 Building a BooleanExpressionEntry

    //Define the checking and savings balances and compute one total
    Expression addBalance = new Expression(function entry for integer_add);
    addBalance.add(attribute entry for savings_balance);
    addBalance.add(attribute entry for checking_balance);
    //Compare the total balance to 10,000
    Expression greaterThan = new Expression
      (function entry for integer_greater_than);
    greaterThan.addExpressionComponent(new OpssInteger(10000));
    //Define the function to check the customer type
    Expression goldMember = new Expression(function entry for customFunc_checkCustomerType);
    goldMember.addExpressionComponent(attribute entry for username);
    goldMember.addExpressionComponent(new OpssString(“GOLD”));
    //Compare the outcome using AND operator
    Expression top = new Expression(function entry for AND);

    The expression constructor is provided with the function entry, and each function argument is added as an expression component from left to right.


    To add all ExpressionComponent objects at once, use the setExpressionComponent(List<ExpressionComponent>) interface. The list of components must be built in order of the arguments passed to the function; for example, the first component in the list is the first argument passed to the function, the second component is the second argument and so on.

  5. Create a BooleanExpressionEntry.

Oracle Entitlements Server supports many predefined functions to be used in conditions (AND/OR, boolean functions, or string functions). The following sections contain information on the kinds of expressions that can be used. Constructing a Boolean Expression

A boolean expression can evaluate an outcome based on the comparison between two boolean results. The outcome of the comparison would be true or false. A boolean expression allows a policy condition to be based on the results of two or more basic expressions of different value types.

The following code contains two basic expressions and a boolean expression. The integer expression (comparing two integers) and the string expression (comparing two stings) are basic expressions. The boolean expression compares the results returned by the basic expressions.

Expression leftExpression = 
  new Expression(function-entry-for-INTEGER_LESS_THAN);
leftExpression.add(attribute entry for userBudget);
leftExpression.add(new OpssInteger(2000));

Expression rightExpression = 
  new Expression(function-entry-for-STRING_EQUAL);
rightExpression.addExpressionComponent(new OpssString("December"));

Expression expression = new Expression(function-entry-for-AND);

//boolean expression 
RuleExpressionEntry<OpssBoolean> condition =  
  new BooleanExpressionEntry<OpssBoolean>(expression);

The values of the parameters are defined as:

  • userBudget - a dynamic attribute that represents a dollar amount

  • 2000 - a constant integer

  • function-entry-for-INTEGER_LESS_THAN - takes a FunctionEntry obtained by using the enum (ExtensionManager.getFunctionEntry(BuiltInFunctions.INTEGER_LESS_THAN)

  • thisMonth - a dynamic attribute representing the current month

  • December - a constant string

  • function-entry-for-STRING_EQUAL - takes a FunctionEntry obtained by using the enum (ExtensionManager.getFunctionEntry(BuiltInFunctions.STRING_EQUAL)

  • leftExpression / rightExpression - dynamic attributes representing the results of the basic expressions.

  • December - a constant string

  • function-entry-for-AND - takes a FunctionEntry obtained by using the enum (ExtensionManager.getFunctionEntry(BuiltInFunctions.AND)


    AND returns true only if the results of the basic expressions were also true. The other supported operations for a boolean expression are NOT (takes a single true/false value and negates it) and OR (takes two true/false values and produces one true result if either operand is true). Constructing a Custom Function Expression

A custom function expression invokes a custom function and returns true or false based on the outcome. The custom function expression can also include one or more parameters. Once the function is called and any parameter(s) are defined, construct a RuleExpressionEntry object to invoke the function using the parameter(s) as input. The following code determines whether the client from which the request is being made would be considered low risk. The function analyzes the client type and returns the string Low Risk if it is.

//get the ClientType custom function 
FunctionEntry function = xMgr.getFunction("ClientType");
Expression ex = new Expression(function);

//add component referencing "LowRisk" string to expression
ex.addExpressionComponent(new OpssString("LowRisk");

//construct BooleanExpressionEntry to invoke function 
RuleExpressionEntry<OpssBoolean> = new BooleanExpressionEntry(ex);

This second example shows how to build a custom function expression that takes parameters of different expression value types.

// define the acceptable expression value types 
List<Class<? extends DataType>> inputParams = 
 new ArrayList<Class <? extends DataType>>(); 

// declare the function 
FunctionEntry func = extensionManager.createFunction(“ReportsPolicyCondition”, 
“ReportsPolicyCondition”, “Condition for Reports policy.”, 
“oracle.demo.oes.ComplexFunction”, OpssBoolean.class, inputParams); 

// use the function to construct a condition 
AttributeEntry<OpssInteger> attrEntry = 

Expression expression = new Expression (func)

expression.addExpressionComponent(new OpssInteger(100));
expression.addExpressionComponent(new OpssTime(17, 0, 0));

RuleExpressionEntry<OpssBoolean> condition = 
  new BooleanExpressionEntry <OpssBoolean>(expression);


Custom function expressions do not use comparison operators.

2.3.6 Adding Obligations

An Obligation specifies optional information that is taken into account during policy enforcement. This information is returned to the entity calling for an authorization decision with the resolved effect (GRANT or DENY) and imposes an additional requirement on the policy outcome; for example, if a certain amount of money is withdrawn from a checking account, send a text message to the account holder's registered mobile phone.

An Obligation is managed as a named object that contains a set of name-value pairs. The object is always managed in the context of a policy. There are two ways to define an Obligation:

  • Statically where an attribute with an absolute value is returned as an Obligation.

  • Dynamically where an attribute value, or a custom function, is evaluated at runtime and the output is returned as the Obligation.

If a policy contains an Obligation, the information is returned to the application as a named ObligationEntry object containing a set of attributes. To specify an Obligation, build an ObligationEntry object that contains the data to return. The following procedure constructs an ObligationEntry that provides the string message Trader managers may run reports.

  1. Define the message string using the AttributeAssignment class and add it to an attribute array list named traderRptList.

    AttributeAssignment<OpssString>traderRpts = new 
     ("traderRptMessage", new OpssString("Trader managers may run reports.")); 
    List<AttributeAssignment<? extends DataType>> traderRptList = 
     new ArrayList<AttributeAssignment<? extends DataType>>(); 

    The values of the parameters are defined as:

    • Name - traderRptMessage is a unique identifier for the string.

    • OpssString - Trader managers may run reports. is the string.

  2. Construct the traderRptObl Obligation and traderRptOblList array using the ObligationEntry interface.

    ObligationEntry traderRptObl = new BasicObligationEntry
     ("traderRptObl", "Trader Report Obligation", 
      "obligation for Trader Report policy.", traderRptList); 
    List<ObligationEntry>traderRptOblList = new ArrayList<ObligationEntry>(); 

    The values of the parameters are defined as:

    • Name - traderRptObl is a unique identifier for the Obligation.

    • Display Name - Trader Report Obligation is an optional, human-readable name for the Obligation.

    • Description - Obligation for Trader Report policy. is an optional description of the Obligation.

    • Assignments - traderRptList is the attribute array list previously created.

  3. Specify the obligation when creating the policy.

    PolicyEntry policyEntry = policyManager.createPolicy
     ("TraderRpt", "TraderRpt", "Trader report policy.", traderRptRule, 
      traderRptPermissionSetEntryList, traderRptPrincipals, traderRptOblList); 

    The values of the parameters are defined as:

    • Name - TraderRpt is a unique identifier for the policy.

    • Display Name - TraderRpt is an optional, human-readable name for the policy.

    • Description - Trader Report policy. is an optional description.

    • Rule - traderRptRule is the name of the PolicyRuleEntry object.

    • PermSets - traderRpt is a list of PermissionSetEntry objects.

    • Principals - traderRptPrincipals is a list of PrincipalEntry objects.

    • Obligations - traderRptRule is a list of ObligationEntry objects.


If an application uses an Obligation, it must be requested in the isAccessAllowed() authorization request.