| Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) Part Number E10043-12 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) Part Number E10043-12 |
|
|
PDF · Mobi · ePub |
This appendix describes the elements and attributes in system-jazn-data.xml, which is the default store for file-based identity and policy stores in Oracle Platform Security Services.
Note:
The file-based identity store is supported for Java SE applications only.
This appendix covers the following topics:
This section shows the element hierarchy of system-jazn-data.xml, or an application-specific jazn-data.xml file. The direct subelements of the <jazn-data> root element are:
<jazn-realm>
<policy-store>
<jazn-policy>
Note:
The <jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.
Table B-1 Hierarchy of Elements in system-jazn-data.xml
| Hierarchy | Description |
|---|---|
<jazn-data> |
This is the top-level element in the |
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1} |
The |
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} | <app-role> {1 or more} | <name> {1} | <class> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <guid> {0 or 1} | <uniquename> {0 or 1} | <extended-attributes> {0 or 1} | | <attribute> {1 or more} | | <name> {1} | | <values> {1} | | <value> {1 or more} | <members> {0 or 1} | <member> {1 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} <role-categories> | <role-category> | <name> | <display-name> | <description> | <members> | <role-name-ref> <resource-types> | <resource-type> | <name> | <display-name> | <description> | <provider-name> | <matcher-class> | <actions-delimiter> | <actions> <resources> | <resource> | <name> | <display-name> | <description> | <type-name-ref> <permission-sets> | <permission-set> | <name> | <member-resources> | <member-resource> | <resource-name> | <type-name-ref> | <actions> <jazn-policy> {0 or 1} | <grant> {0 or more} | <description> {0 or 1} | <grantee> {0 or 1} | | <principals> {0 or 1} | | <principal> {0 or more} | | <name> {1} | | <class> {1} | | <uniquename> {0 or 1} | | <guid> {0 or 1} | | <codesource> {0 or 1} | | <url> {1} | <permissions> {0 or 1} | <permission> {1 or more} | <class> {1} | <name> {0 or 1} | <actions> {0 or 1} |
The When
|
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} | <principals> {0 or 1} | <principal> {0 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} | <codesource> {0 or 1} | <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1} <permission-sets> | <permission-set> | <name> |
When the
|
This section describes the elements and attributes in the system-jazn-data.xml file.
Notes:
You can update most settings in system-jazn-data.xml through Oracle Enterprise Manager Fusion Middleware Control.
This element specifies the operations permitted by the associated permission class. Values are case-sensitive and are specific to each permission implementation. Examples of actions are "invoke" and "read,write".
Parent Element
Child Elements
None
Occurrence
Optional, zero or one:
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Examples
See <jazn-policy> for examples.
This element specifies the character used to separate the actions of the associated resource type.
Parent Element
Child Elements
<name>, <display-name>, <description>, <actions><roles>, <users>
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
Example
For an example, see <resource-type>.
This element specifies an application role.
Required subelements specify the following:
<name> specifies the name of the application role.
<class> specifies the fully qualified name of the class implementing the application role.
Optional subelements can specify the following:
<description> provides more information about the application role.
<display-name> specifies a display name for the application role, such as for use by GUI interfaces.
<guid> specifies a globally unique identifier to reference the application role. This is for internal use only.
<members> specifies the users, roles, or other application roles that are members of this application role.
<uniquename> specifies a unique name to reference the application role. This is for internal use only.
Parent Element
Child Elements
<class>, <description>, <display-name>, <guid>, <members>, <name>, <uniquename>
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Examples
See <policy-store> for examples.
This element specifies a set of application roles.
Parent Element
Child Elements
Occurrence
Optional, zero or one:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
Example
See <policy-store> for examples.
This element specifies roles and policies for an application.
Required subelements specify the following information for an application:
<name> specifies the name of the application.
Optional subelements can specify the following:
<description> provides information about the application and its roles and policies.
<app-roles> specifies any application-level roles
<jazn-policy> specifies any application-level policies.
Parent Element
Child Elements
<app-roles>, <description>,, <jazn-policy>, <name>, <permission-sets>, <resource-types>, <resources>, <role-categories>
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
Example
See <policy-store> for examples.
This element specifies a set of applictions.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
Example
See <policy-store> for an example.
This element specifies an attribute of an application role.
Parent Element
Child Elements
Occurrence
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <guid> {0 or 1}
This element specifies several values depending on its location in the configuration file:
Within the <app-role> element, <class> specifies the fully qualified name of the class implementing the application role.
<app-role> ... <class>oracle.security.jps.service.policystore.ApplicationRole</class>
Within the <member> element, <class> specifies the fully qualified name of the class implementing the role member.
<app-role>
...
<members>
<member>
...
<class>
weblogic.security.principal.WLSUserImpl
</class>
Within the <permission> element (for granting permissions to a principal), <class> specifies the fully qualified name of the class implementing the permission. Values are case-insensitive.
<jazn-policy>
<grant>
...
<permissions>
<permission>
<class>java.io.FilePermission</class>
Within the <principal> element (for granting permissions to a principal), it specifies the fully qualified name of the principal class, which is the class that is instantiated to represent a principal that is being granted a set of permissions.
<jazn-policy>
<grant>
...
<grantee>
<principals>
<principal>
...
<class>oracle.security.jps.service.policystore.TestUser</class>
Parent Element
<app-role>, <member>, <principal>, or <permission>
Child Elements
None
Occurrence
Required, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} ... <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> and <policy-store> for examples.
This element specifies the URL of the code to which permissions are granted.
The policy configuration can also include a <principals> element, in addition to the <codesource> element. Both elements are children of a <grantee> element and they specify who or what the permissions in question are being granted to.
For variables that can be used in the specification of a <codesource> URL, see <url>.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element specifies the authentication password for a user. The credentials are, by default, in obfuscated form.
Parent Element
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1}
Example
See <jazn-realm> for examples.
This element specifies a text string that provides textual information about an item. Depending on the parent element, the item can be an application role, application policy, permission grant, security role, or user.
Parent Element
<app-role>, <application>, <grant>, <role>, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} ... <description> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} ... <description> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ... <description> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1}
Example
The fmwadmin user might have the following description:
<description>User with administrative privileges</description>
See <jazn-realm> for additional examples.
This element specifies the name of an item typically used by a GUI tool. Depending on the parent element, an item can be an application role, user, or enterprise group.
Parent Element
<app-role>, <role>, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1}
Example
The fmwadmin user might have the following display name:
<display-name>Administrator</display-name>
See <jazn-realm> for additional examples.
This element specifies attributes of an application role.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship For the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>
This element specifies the recipient of the grant - a codesource, or a set of principals, or both- and the permissions assigned to it.
Parent Element
Child Elements
<description>, <grantee>, <permissions>, <permission-sets>
Occurrence
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element, in conjunction with a parallel <permissions> element, specifies who or what the permissions are granted to: a set of principals, a codesource, or both.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element is for internal use only. It specifies a globally unique identifier (GUID) to reference the item.
Depending on the parent element, the item to be referenced may be an application role, application role member, principal, enterprise group, or user. It is typically used with an LDAP provider to uniquely identity the item (a user, for example). A GUID is sometimes generated and used internally by Oracle Platform Security Services, such as in migrating a user or role to a different security provider. It is not an item that you would set yourself.
Parent Element
<app-role>, <member>, <principal>, <role>, or <user>
Child Elements
None
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} ...
Example
See <jazn-realm> for examples.
This element specifies the top-level element in the system-jazn-data.xml file-based policy store.
Attributes
| Name | Description |
|---|---|
|
|
Specifies the major version number of the |
|
|
Specifies the minor version number of the |
Parent Element
n/a
Child Elements
<jazn-policy>, <jazn-realm>, <policy-store>
Occurrence
Required, one only
<jazn-data ... > {1} <jazn-realm> {0 or 1} ...
<policy-store> {0 or 1} ...
<jazn-policy> {0 or 1} ...
Example
<jazn-data
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation=
"http://xmlns.oracle.com/oracleas/schema/jazn-data-11_0.xsd">
...
</jazn-data
This element specifies policy grants that associate grantees (principals or codesources) with permissions.
This element can appear in two different locations in the system-jazn-data.xml file:
Under the <jazn-data> element, it specifies global policies.
Under the <application> element, it specifies application-level policies.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
Example B-1 <jazn-policy>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<class>
oracle.security.jps.service.policystore.TestUser
</class>
<name>jack</name>
</principal>
<principal>
<class>
oracle.security.jps.service.policystore.TestUser
</class>
<name>jill</name>
</principal>
</principals>
<codesource>
<url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url>
</codesource>
</grantee>
<permissions>
<permission>
<class>oracle.security.jps.JpsPermission</class>
<name>getContext</name>
</permission>
<permission>
<class>java.io.FilePermission</class>
<name>/foo</name>
<actions>read,write</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
Example B-2 <jazn-policy>
<jazn-policy>
<grant>
<grantee>
<principals>
<principal>
<class>
oracle.security.jps.service.policystore.TestAdminRole
</class>
<name>Farm=farm1,name=FullAdministrator</name>
</principal>
</principals>
<codesource>
<url>file://some-file-path</url>
</codesource>
</grantee>
<permissions>
permission>
<class>javax.management.MBeanPermission</class>
<name>
oracle.as.management.topology.mbeans.InstanceOperations#getAttribute
</name>
<actions>invoke</actions>
</permission>
</permissions>
</grant>
</jazn-policy>
This element specifies security realms and the users and enterprise groups (as opposed to application-level roles) they include, and is the top-level element for user and role information
Attribute
| Name | Description |
|---|---|
|
|
Specifies which of the realms defined under this element is the default realm. The value of this attribute must match a Values: string Default: n/a (required) |
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
Example
<jazn-data ... >
...
<jazn-realm default="jazn.com">
<realm>
<name>jazn.com</name>
<users>
<user deactivated="true">
<name>anonymous</name>
<guid>61FD29C0D47E11DABF9BA765378CF9F3</guid>
<description>The default guest/anonymous user</description>
</user>
<user>
<name>developer1</name>
<credentials>!password</credentials>
</user>
<user>
<name>developer2</name>
<credentials>!password</credentials>
</user>
<user>
<name>manager1</name>
<credentials>!password</credentials>
</user>
<user>
<name>manager2</name>
<credentials>!password</credentials>
</user>
<!-- these are for testing the admin role hierachy. -->
<user>
<name>farm-admin</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-monitor</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-operator</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-auditor</name>
<credentials>!password</credentials>
</user>
<user>
<name>farm-auditviewer</name>
<credentials>!password</credentials>
</user>
</users>
<roles>
<role>
<name>users</name>
<guid>31FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>users</display-name>
<description>users role for rmi/ejb access</description>
</role>
<role>
<name>ascontrol_appadmin</name>
<guid>51FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>ASControl App Admin Role</display-name>
<description>
Application Administrative role for ASControl
</description>
</role>
<role>
<name>ascontrol_monitor</name>
<guid>61FD29C0D47E11DABF9BA765378CF9F7</guid>
<display-name>ASControl Monitor Role</display-name>
<description>Monitor role for ASControl</description>
</role>
<role>
<name>developers</name>
<members>
<member>
<type>user</type>
<name>developer1</name>
</member>
<member>
<type>user</type>
<name>developer2</name>
</member>
</members>
</role>
<role>
<name>managers</name>
<members>
<member>
<type>user</type>
<name>manager1</name>
</member>
<member>
<type>user</type>
<name>manager2</name>
</member>
</members>
</role>
</roles>
</realm>
</jazn-realm>
...
</jazn-data>
This element specifies the fully qualified name of the class within a resource type; queries for resources of this type delegate to this matcher class. Values are case-sensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {1 or more}
Example
For an example, see <resource-type>.
This element specifies the members of a set, such as a <role> or an<app-role> element:
When under a <role> element, it specifies a member of the enterprise group. A member can be a user or another enterprise group. The <name> subelement specifies the name of the member, and the <type> subelement specifies whether the member type (a user or an enterprise group).
When under an <app-role> element, it specifies a member of the application role. A member can be a user, an enterprise group, or an application role. The <name> subelement specifies the name of the member, and the <class> subelement specifies the class that implements it. The member type is determined through the <class> element.
Optional subelements include <uniquename> and <guid>, which specify a unique name and unique global identifier; these optional subelements are for internal use only.
Parent Element
Child Elements
When under a <role> element, the <member> element has the following child elements: <name>, <type>
When under an <app-role> element, the <member> element has the following child elements: <name>, <class>, <uniquename>, <guid>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
See <jazn-realm> and <policy-store> for examples.
This element specifies resources for a permission set.
Parent Element
Child Elements
<resource-name>, <type-name-ref>,<actions>
Occurrence
Required within <member-resources>, one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
Example
For an example, see <permission-set>.
This element specifies a set of member resources.
Parent Element
Child Elements
Occurrence
Required within <permission-sets>; one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
Example
For an example, see <permission-set>.
This element specifies a set of members.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
See <jazn-realm> and <policy-store> for examples.
This element has different uses, depending on its location in the file:
Within the <app-role> element, it specifies the name of an application-level role in the policy configuration. For example:
<name>Farm=farm1,name=FullAdministrator</name>
Or a simpler example:
<name>Myrolename</name>
Within the <application> element, it specifies the policy context identifier. Typically, this is the name of the application during deployment.
Within the <attribute> element, it specifies the name of an additional attribute for the application-level role.
Within the <member> element, it specifies the name of a member of an enterprise group or application role (depending on where the <member> element is located). For example, if the fmwadmin user is to be a member of the role:
<name>fmwadmin</name>
Within the <owner> element, it specifies the name of an owner of an enterprise group. For example:
<name>mygroupowner</name>
Within the <permission> element, as applicable, it can specify the name of a permission that is meaningful to the permission class. Values are case-sensitive. For example:
<name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name>
Or:
<name>getContext</name>
Within the <principal> element (for granting permissions to a principal), it specifies the name of a principal within the given realm. For example:
<name>Administrators</name>
Within the <realm> element, it specifies the name of a realm. For example:
<name>jazn.com</name>
Within the <role> element, it specifies the name of an enterprise group in a realm. For example:
<name>Administrators</name>
Within the <user> element, it specifies the name of a user in a realm. For example:
<name>fmwadmin</name>
Within the <resource-type> element, it specifies the name of a resource type and is required. For example:
<name>restype1</name>
Parent Element
<app-role>, <application>, <attribute>, <member>, <owner>, <permission>, <principal>, <realm>, <role>, or <user>
Child Elements
None
Occurrence
Required within any parent element other than <permission>, one only; optional within <permission>, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
<application>
<name>peanuts</name>
<app-roles>
<app-role>
<name>snoopy</name>
<display-name>application role snoopy</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<members>
<member>
.......
See <jazn-policy>, <jazn-realm>, and <policy-store> for examples.
This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.
An owner is a user or another enterprise group. The <type> subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.
Note:
To create a group owner in Oracle Internet Directory, use the Oracle Delegated Administration Services. For external (third-party) LDAP servers, set values for the group's owner attribute through ldapmodify or tools of the particular directory server.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies a set of owners.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.
Parent Element
Child Elements
Occurrence
Required within parent element, one or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element specifies a set of permissions.
The <permissions> element (used in conjunction with a parallel <grantee> element) specifies the permissions being granted, through a set of <permission> subelements.
Note:
The system-jazn-data.xml schema definition does not specify this as a required element, but the Oracle Platform Security runtime implementation requires its use within any <grant> element.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
A permission set or entitlement specifies a set of permissions.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
Example
The following fragment illustrates the configuration of a permission set (or entitlement):
<permission-sets>
<permission-set>
<name>permsetName</name>
<member-resources>
<member-resource>
<type-name-ref>TaskFlowResourceType</type-name-ref> <resource-name>resource1</resource-name>
<actions>customize,view</actions>
</member-resource>
</member-resources>
</permission-set>
</permission-sets>
Note the following points about a permission set:
The actions specified in a <member-resource> must match one or more of the actions specified for the resource type that is referenced through <resource-name-ref>.
A <member-resources> can have multiple <member-resource> elements in it.
A permission set must have at least one resource.
Permission sets can be exist without necessarily being referenced in any grants, that is, without granting them to any principal.
In addition, the following strings in a permission set entry conform to the case sensitivity rules:
The name is case insensitive.
The description string is case insensitive.
The display name is case insensitive.
This element specifies a set of permission sets.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
Example
For an example, see <permission-set>.
This element configures application-level policies, through an <applications> subelement. Under the <applications> element is an <application> subelement for each application that is to have application-level policies. The policies are specified through a <jazn-policy> subelement of each <application> element.
Note:
The <jazn-principal-classes> and <jazn-permission-classes> elements and their subelements may appear in the system-jazn-data.xml schema definition as subelements of <policy-store>, but are for backward compatibility only.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-data> {1} <policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
Example
<jazn-data ... >
...
<policy-store>
<!-- application policy -->
<applications>
<application>
<name>policyOnly</name>
<jazn-policy>
...
</jazn-policy>
</application>
<application>
<name>roleOnly</name>
<app-roles>
<app-role>
<name>Fellowship</name>
<display-name>Fellowship of the Ring</display-name>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
</app-role>
<app-role>
<name>King</name>
<display-name>Return of the King</display-name>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
</app-role>
</app-roles>
</application>
<application>
<app-roles>
<app-role>
<name>Farm=farm1,name=FullAdministrator</name>
<display-name>farm1.FullAdministrator</display-name>
<guid>61FD29C0D47E11DABF9BA765378CF9F2</guid>
<class>
oracle.security.jps.service.policystore.ApplicationRole
</class>
<members>
<member>
<class>
oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl
</class>
<name>admin</name>
</member>
</members>
</app-role>
</app-roles>
<jazn-policy>
...
</jazn-policy>
</application>
...
</applications>
</policy-store
....
</jazn-data
See <jazn-policy> for examples of that element.
This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.
Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).
For details about how principal names can be compared, see Section 2.7, "Principal Name Comparison Logic."
Parent Element
Child Elements
<class>, <guid>, <name>, <uniquename>
Occurrence
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element specifies a set of principals.
For policy configuration, a <principals> element and/or a <codesource> element are used under a <grantee> element to specify who or what the permissions in question are being granted to. A <principals> element specifies a set of principals being granted the permissions.
For a subject to be granted these permissions, the subject should include all the specified principals.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
See <jazn-policy> for examples.
This element specifies the name of a resource type provider. The resource resides in a location external to the OPSS policy store. Values are case-insensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
Example
For an example, see <resource-type>.
This element specifies a security realm, and the users and roles that belong to the realm.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
Example
See <jazn-realm> for an example.
This element specifies an application resource and contains information about the resource.
Parent Element
Child Elements
<name>, <description>, <display-name>, <type-name-ref>.
Occurrence
Required under <resources>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
Example
The following fragment illustrates the configuration of a resource (instance):
<resources>
<resource>
<name>resource1</name>
<display-name>Resource1DisplayName</display-name>
<description>Resource1 Description</description>
<type-name-ref>TaskFlowResourceType</type-name-ref>
</resource>
</resources>
Note the following points about case sensitivity of various strings in a resource entry:
The name is case sensitive.
The description string is case insensitive.
The display name is case insensitive.
This element specifies a collection of application resources.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<resources> (0 or more)
<resource> (1 or more)
<name> (1)
<display-name> (1)
<description> {0 or 1}
<type-name-ref> (1)
Example
For an example, see <resource>.
This element specifies a member resource in a permission set. Values are case-sensitive.
Parent Element
Child Elements
None
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <permission-sets> <permission-set> <name> <member-resources> <member-resource> <resource-name> <type-name-ref> <actions>
Example
For an example, see <permission-set>.
This element specifies the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.
Parent Element
Child Elements
<name>, <display-name>, <description>, <actions>, <actions-delimiter>, <matcher-class>, <provider-name>.
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
Example
The following fragment illustrates the configuration of a resource type:
<resource-types>
<resource-type>
<name>TaskFlowResourceType</name>
<display-name>TaskFlowResourceType_disp</display-name>
<description>Resource Type for Task Flow</description>
<provider-name>resTypeProv</provider-name>
<matcher-class>
oracle.adf.controller.security.TaskFlowPermission</matcher-class>
<actions-delimiter>,</actions-delimiter>
<actions>customize,view</actions>
</resource-type>
</resource-types>
The following points apply to the specification of a resource type:
The name is required and case insensitive.
The provider name is optional and case insensitive. A provider is typically used when there are resources managed in an external store, that is, in a store other than the OPSS domain policy store.
When specified, the class in a <provider-name> element is used as a resource finder; queries for resources of this type (via the ResourceManager search APIs) delegate to this matcher class instead of using the built-in resource finder against the OPSS domain policy store.
The matcher class name is required and case sensitive.
The description string is optional and case insensitive.
The display name is optional and case insensitive.
The action string is optional and case sensitive. The list of actions in a resource type can be empty. An empty action list indicates that the actions on instances of the resource type are determined externally and are opaque to OPSS.
This element specifies a set of resource types.
Parent Element
Child Elements
Occurrence
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> ... <resource-types> <resource-type> <name> <display-name> <description> <provider-name> <matcher-class> <actions-delimiter> <actions>
Example
For an example, see <resource-type>.
This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.
Parent Element
Child Elements
<description>, <display-name>, <guid>, <members>, <name>, <owners>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm> for examples.
This element specifies the parent element of <role-category> elements.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name>
Example
See Section 20.3.3.1, "Using the Method checkPermission" for an example.
This element specifies a category, that is, a flat set of application roles.
Parent Element
Child Elements
<name>, <display-name>, <description>, <members>
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <display-name> <members>
Example
See Section 20.3.3.1, "Using the Method checkPermission" for an example.
This element specifies an application role within a role category.
Parent Element
Child Elements
None
Occurrence
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> <role-category> <name> <description> <members> <role-name-ref>
This element specifies a set of enterprise security roles that belong to a security realm.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm> for an example.
This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:
<type>user</type>
Or:
<type>role</type>
Parent Element
Child Elements
None
Occurrence
Required, one only
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
Example
See <jazn-realm> for examples.
This element specifies the resource type of a resource.
Parent Element
Child Elements
None
Occurrence
Required within <resource> or <member-resource>.
<resources> (0 or more)
<resource> (1 or more)
<name> (1)
<display-name> (1)
<description> {0 or 1}
<type-name-ref> (1)
Example
For an example, see <resource>.
This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It is typically used with an LDAP provider to uniquely identity the item (an application role member, for example). A unique name is sometimes generated and used internally by Oracle Platform Security.
The unique name for an application role would be: "appid=application_name, name=actual_rolename". For example:
<principal>
<class>
oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal
</class>
<uniquename>
APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR"
</uniquename>
</principal>
Parent Element
<app-role>, <member>, or <principal>
Child Elements
None
Occurrence
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
This element specifies the URL of the code that is granted permissions.
Note the following points:
URL values cannot be restricted to a single class.
URL values with ".jar" suffix match the JAR files in the specified directory.
URL values with "/" suffix match all class files (not JAR files) in the specified directory.
URL values with "/*" suffix match all files (both class and JAR files) in the specified directory.
URL values with "/-" suffix match all files (both class and JAR files) in the specified directory and, recursively, all files in subdirectories.
The system variables oracle.deployed.app.dir and oracle.deployed.app.ext can be used to specify a URL independent of the platform.
Parent Element
Child Elements
None
Occurrence
Required within parent element, one only
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
Example
The following example illustrates the use of the system variables oracle.deployed.app.dir and oracle.deployed.app.ext to specify URLs independent of the server platform.
Suppose an application grant requires a codesource URL that differs with the server platform:
On WebLogic
<grant>
<grantee>
<codesource>
<url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/myApp/-</url>
</codesource>
</grantee>
<permissions> ... </permissions>
</grant>
On WebSphere
<grant>
<grantee>
<codesource>
<url>file:${user.install.root}/installedApps/${was.cell.name}/myApp/-</url>
</codesource>
</grantee>
<permissions> ... </permissions>
</grant>
Then, using the following system variable settings:
On WebLogic
-Doracle.deployed.app.dir=${DOMAIN_HOME}/servers/${SERVER_NAME}/tmp/_WL_user
-Doracle.deployed.app.ext=/-
On WebSphere
-Doracle.deployed.app.dir=${USER_INSTALL_ROOT}/installedApps/${CELL}
-Doracle.deployed.app.ext=.ear/-
the following specification would work for both platforms, WebLogic and WebSphere:
<grant>
<grantee>
<codesource>
<url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url>
</codesource>
</grantee>
<permissions> ... </permissions>
</grant>
This element specifies a user within a realm.
Attributes
| Name | Description |
|---|---|
|
|
Specifies whether the user is valid or not. Set this attribute to Values: Default: |
Parent Element
Child Elements
<name>, <display-name>, <description>, <guid>, <credentials>
Occurrence
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
Example
See <jazn-realm> for examples.
This element specifies the set of users belonging to a realm.
Parent Element
Child Elements
Occurrence
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
Example
See <jazn-realm> for an example.
This element specifies a value for an attribute. You can specify additional attributes for application-level roles using the <extended-attributes> element.
Parent Element
Child Elements
None
Occurrence
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship of the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>
This element specifies a set of values, each of which specify the value of an attribute. An attribute can have more than one value.
Parent Element
Child Elements
Occurrence
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
Example
<app-roles>
<app-role>
<name>Knight</name>
<display-name>Fellowship of the Ring</display-name>
<class>oracle.security.jps.service.policystore.ApplicationRole</class>
<extended-attributes>
<attribute>
<name>SCOPE</name>
<values>
<value>Part-I</value>
</values>
</attribute>
</extended-attributes>
</app-role>
|
 Copyright © 2003, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|