5 Querying Security Objects

Oracle Entitlements Server enables querying for policies and policy objects from within the Oracle Entitlements Server Administration Console. This chapter explains the types of search functionalities and for what purposes they can be used. It contains the following topics:

5.1 Searching with the Administration Console

Oracle Entitlements Server enables different kinds of search queries using the Administration Console.

  • A simple search matches names and display names only. The search is generated from the top of the Navigation Panel and results are displayed in the Navigation Panel. For more information, see Section 5.2, "Finding Objects with a Simple Search."

  • An advanced search uses operators that enable more sophisticated matching. The advanced search screen is launched by double-clicking an object in the Navigation Panel, or from the Home area. The search box opens in the Home area and results are also displayed there. For more information, see Section 5.3, "Finding Objects with an Advanced Search."

  • A blind search will search objects without specifying search criteria. This can be done as a simple search or an advanced search. A blind search will display no more than 300 objects in the system. Oracle Entitlements Server will not display more than 300 rows in the search results.

  • A pop-up search opens from within the Authorization Policy or Role Mapping Policy screens, when the policy is being created or modified, by clicking the green Add button (plus sign). The pop-up search box uses a shopping cart paradigm. You add choices selected from the multiple, displayed tabs on the top of the search box to the Selected box on the bottom of the search box. All choices in the Selected box are added when you click Add.

    Figure 5-1 is a screen shot of the pop-up search box for adding a Principal. You can click between the three tabs (Application Roles, External Roles, and Users), selecting one or more policy subjects and adding them to the Selected Principals box. When you click Add Principals, all choices added from all tabs will then be added to the policy.

    Figure 5-1 Pop-up Search Box

    Description of Figure 5-1 follows
    Description of "Figure 5-1 Pop-up Search Box"

5.2 Finding Objects with a Simple Search

A simple query matches names and display names only. The fields in the top portion of the Authorization Management tab in the Navigation Panel, as shown in Figure 5-2, are used to specify simple queries.

Figure 5-2 Simple Search Fields and Results Tab in Navigation Panel

Description of Figure 5-2 follows
Description of "Figure 5-2 Simple Search Fields and Results Tab in Navigation Panel"

To specify a simple search, proceed as follows:

  1. Select the policy object for which you are searching from the For list.

    The following object types are available:

    • Application Roles

    • External Roles

    • Users

    • Resources

    • Resource Types

    • Entitlements

    • Attributes

  2. Select the search scope from the In list.

    The search scope defines the level at which the search will take place. When searching for Application Roles, Resources, Resource Types, Entitlements and Attributes, the search scope is an Application. For External Roles and Users, the search scope can be Global (the default option) or the name of an Application bound to a particular Identity Directory Service profile.

    Note:

    In the latter case, the search will be in the identity data store that corresponds to the Identity Directory Service profile to which the Application is bound. See Section 10.3, "Configuring Identity Directory Service Profiles" for more information.

    For Entitlements and Resources, the search scope is the Policy Domain within an Application. If performing a Resource search, you also select the Resource Type from the Type list.

  3. Optionally, enter a string to match in the text box.

    Wildcard characters percent (%) and asterisk (*) are supported for a simple search.

  4. Click the arrow icon next to the text box to begin the search.

    Names and display names matching the specified criteria are returned and displayed in the Search Results tab. If no search string was entered, a list of all objects of the specified type is returned.

  5. Double-click the object to edit, right click the object and select New to create, or click the object's information icon for details.

    For more information on managing policy objects, see Chapter 4, "Managing Policies and Policy Objects."

5.3 Finding Objects with an Advanced Search

An advanced search is generally initiated by double-clicking the object name in the Navigation Panel, or from the Search link for the object in the Home area. An advanced search can use the following operators:

  • Starts with

  • Ends with

  • Contains

  • Equal to

There is no support for wildcard characters in an advanced search. In particular, the asterisk (*) or percent (%) characters are treated as plain text in any advanced search parameter. The following sections have information on searching for policy objects with an advanced search.

5.3.1 Searching External Roles

To search External Roles, proceed as follows:

  1. Select from the following methods to display the Search External Roles page:

    • In the Navigation Panel, expand Global and double-click External Roles.

      Alternately, right-click External Roles and select Open.

    • In the Home area, click Search - External Roles from the Search and Create section.

  2. Enter the following query parameters:

    • Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to name the current query parameters.

    The named search is added to the Saved Search list.

  4. Click Search.

    The results are displayed in Search Results.

5.3.2 Searching Applications

To search applications, proceed as follows:

  1. Select from the following methods to display the Search Applications page:

    • In the Navigation Panel, double-click Applications to display the Search Applications page.

      Alternately, right-click Applications and select Open.

    • In the Home area, click Search - Applications from the Search and Create section.

  2. Enter the following query parameters:

    • Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  4. Click Search.

    The results are displayed in Search Results.

5.3.3 Searching Resource Types

To search Resource Types, proceed as follows:

  1. Select from the following methods to display the Search Resource Types page as in Figure 5-3.

    • In the Navigation Panel, expand the Application node and double-click Resource Types.

      Alternately, right-click Resource Types and select Open.

    • In the Home area, select the appropriate Application Name and click Search under Resource Types.

      Figure 5-3 Searching for Resource Types

      Description of Figure 5-3 follows
      Description of "Figure 5-3 Searching for Resource Types"

  2. Enter the following query parameters:

    • Display Name: Select an operator from the list and enter a string to match.

    • Name: Select an operator from the list and enter a string to match.

    • Actions: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  4. Click Search.

    All results matching the query specifications are displayed in the Search Results table as illustrated in Figure 5-4.

    Figure 5-4 Resource Type Search Results

    Description of Figure 5-4 follows
    Description of "Figure 5-4 Resource Type Search Results"

5.3.4 Searching Application Roles

To search Application Roles, proceed as follows:

  1. Select from the following methods to display the Search Role Catalog page.

    • In the Navigation Panel, expand Applications and the named Application node applicable to the search, and double-click Role Catalog.

      Alternately, right-click Role Catalog and select Open.

    • In the Home area, select the Application Name and click Search from Application Roles.

    The Search Role Catalog tab is displayed as in Figure 5-5.

    Figure 5-5 Searching for Application Roles in a Role Catalog

    Description of Figure 5-5 follows
    Description of "Figure 5-5 Searching for Application Roles in a Role Catalog"

  2. Enter the following query parameters:

    • Role Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    • Category: Select a Role Category from the list. (Oracle Entitlements Server only supports an equals search for Role Category.)

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  4. Click Search.

    All results matching the query specifications are displayed in the Search Results table as in Figure 5-6.

    Figure 5-6 Application Role Search Results

    Description of Figure 5-6 follows
    Description of "Figure 5-6 Application Role Search Results"

5.3.5 Searching Role Mapping Policies

  1. Select from the following methods to display the Search Role Mapping Policies page:

    • In the Navigation Panel, expand Applications and the named Application node applicable to the search, and double-click Role Mapping Policies.

      Alternately, right-click Role Mapping Policies and select Open.

    • In the Home area, select the Application Name and click Search from Role Mapping Policies.

    The Search Role Policies page is displayed as in Figure 5-7.

    Figure 5-7 Searching for Role Mapping Policies

    Description of Figure 5-7 follows
    Description of "Figure 5-7 Searching for Role Mapping Policies"

  2. In the Search section, enter the query parameters as follows:

    • Effect: Select the policy effect (Grant/Deny) from the list.

    • Display Name: Select an operator from the list and enter a string to match.

    • Name: Select an operator from the list and enter a string to match.

    • Role: Select an operator from the list and enter a string to match.

    • Principal: Select an operator from the list and enter a string to match.

    • Target: Select an operator from the list and enter a string to match.

  3. Click Search.

    All results matching the query specifications are displayed in the Search Results table as in Figure 5-8.

    Figure 5-8 Role Mapping Policy Search Results

    Description of Figure 5-8 follows
    Description of "Figure 5-8 Role Mapping Policy Search Results"

5.3.6 Searching Resources

A Resource can be hierarchical (a scenario in which the sub resource inherits attributes from the parent resource) or non-hierarchical. If a Resource is hierachical, its tiered-organization is shown in the Search results. To search Resources, proceed as follows:

  1. Select from the following methods to display the Search Resources page:

    • In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Resources.

      Alternately, right-click Resources and select Open.

    • In the Home area, select the Application Name and click Search from Resources.

    The Search Resources page is displayed as in Figure 5-9.

    Figure 5-9 Searching for Resources

    Description of Figure 5-9 follows
    Description of "Figure 5-9 Searching for Resources"

  2. Enter the following query parameters:

    • Resource Type: Select a resource type from the list. This parameter is required.

    • Display Name: Select an operator from the list and enter a string to match.

    • Name: Select an operator from the list and enter a string to match.

  3. Click Search.

    All results matching the query specifications are displayed in the Search Results table.

5.3.7 Searching Entitlements

To search Entitlements, proceed as follows:

  1. Select from the following methods to display the Search Entitlements page:

    • In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Entitlements.

      Alternately, right-click Entitlements and select Open.

    • In the Home area, select the Application Name and click Search from Entitlements. (In this case, the search is done only within the Default Policy Domain.)

    The Search Entitlements tab is displayed in the Home area as in Figure 5-10.

    Figure 5-10 Searching for Entitlements

    Description of Figure 5-10 follows
    Description of "Figure 5-10 Searching for Entitlements"

  2. Enter the following query parameters:

    • Entitlement Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    • Resource name: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  4. Click Search.

    All results matching the query specifications are displayed in the Search Results table.

5.3.8 Searching Authorization Policies

Authorization Policies can be searched by specifying a policy name, a principal, or a target. To search Authorization Policies, proceed as follows:

  1. Select from the following methods to display the Search Policies page:

    • In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Authorization Policies.

      Alternately, right-click Authorization Policies and select Open.

    • In the Home area, select the Application Name, and click Search under Authorization Policies. (In this case, the search is done within the Default Policy Domain.)

    The Search Policies tab is displayed in Figure 5-11.

    Figure 5-11 Searching Policies

    Description of Figure 5-11 follows
    Description of "Figure 5-11 Searching Policies"

  2. Select the search type from the Find By list.

    The query parameters change according to the selection. Options include Policy, Principal or Target. Figure 5-11 is a screenshot in which Policy is selected. Figure 5-12 is a screenshot in which Target is selected.

    Figure 5-12 Searching Polices by Target

    Description of Figure 5-12 follows
    Description of "Figure 5-12 Searching Polices by Target"

  3. Search using the option based on your previous selection.

    • To Find By: Policy, enter the following query parameters.

      • Effect: Select the policy effect (Grant/Deny) from the list.

      • Display Name: Select an operator from the list and enter a string to match.

      • Name: Select an operator from the list and enter a string to match.

      • Principal: Select an operator from the list and enter a string to match.

      • Target: Select an operator from the list and enter a string to match.

    • To Find By: Principal or Find By: Target, select an operator from the list, and enter a string to match.

      A Resource Type must be provided if the Resource or Resource Type operator is selected.

  4. Click Search.

    The Administration Console can display Authorization Policies created using Oracle Entitlements Server as well as the simpler Application Grants (system policies) created using Oracle Platform Security Services (OPSS). The OPSS Application Grants can be displayed for viewing, modification and deletion only. When created using OPSS, Application Grants are not given a policy name or description; they are defined with a principal and target only. Figure 5-13 is a screenshot of the Oracle Entitlements Server screen when an OPSS Application Grant is displayed.

    Figure 5-13 OPSS Application Grants Display Screen

    Surrounding text describes Figure 5-13 .

    Note the Name, Display Name and Description fields are not displayed as they would be if the Authorization Policy was created using Oracle Entitlements Server. OPSS Application Grants can only be removed or modified with Oracle Entitlements Server; they can not be created using Oracle Entitlements Server. For more information on Application Grants, see the Oracle Fusion Middleware Application Security Guide.

5.3.9 Searching Attributes

To search Attributes, proceed as follows:

  1. In the Navigation Panel, expand Applications and the named Application node applicable to the search.

  2. Expand Extensions and double-click Attributes to display the Search Attributes page.

    Alternately, right-click Attributes and select Open.

  3. Enter the following query parameters.

    • Display Name: Select an operator from the list and enter a string to match.

    • Name: Select an operator from the list and enter a string to match.

    • Type: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  4. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  5. Click Search.

5.3.10 Searching Functions

To search application functions, proceed as follows

  1. In the Navigation Panel, expand Applications and the named Application node applicable to the search.

  2. Expand Extensions and double-click Functions to display the Search Functions page.

    Alternately, right-click Functions and select Open.

  3. Enter the following query parameters.

    • Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  4. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  5. Click Search.

5.3.11 Searching for Users

To search for Users, proceed as follows:

  1. Select from the following methods to display the Search External Roles page:

    • In the Navigation Panel, expand Global and double-click Users. (Alternately, right-click Users and select Open.)

    • In the Home area, click Search - Users from the Search and Create section.

  2. Enter the following query parameters:

    • User Name: Select an operator from the list and enter a string to match.

    • Display Name: Select an operator from the list and enter a string to match.

    Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.

  3. Optionally, click Save... to save the current query parameters as a Saved Search.

    The search is added to the Saved Search list.

  4. Click Search.

    The results are displayed in Search Results.

5.4 Understanding Case Sensitivity in Object Names

This section provides information regarding the case sensitivity of names that define policy objects. The objects below are case sensitive. Those not listed are case insensitive.

  • Principal (defined for an Administration Role or an Application Role)

  • Grant Action

  • Permission Class Name

  • Resource Name

  • Resource Type

  • Resource Action

  • Resource Name Expression

  • Resource Type Resource Matcher

  • Policy Action

  • Policy Grantee

See Chapter 2, "Understanding the Policy Model" for information on the policy objects.