Oracle Entitlements Server enables querying for policies and policy objects from within the Oracle Entitlements Server Administration Console. This chapter explains the types of search functionality and for what purposes they can be used. It contains the following topics.
Oracle Entitlements Server enables different kinds of search queries using the Administration Console.
A simple search matches names and display names only. The search is generated from the top of the Navigation Panel and results are displayed in the Navigation Panel. For more information, see Section 5.2, "Finding Objects with a Simple Search."
An advanced search uses operators that enable more sophisticated matching. The advanced search screen is launched by double-clicking an object in the Navigation Panel, or from the Home area. The search box opens in the Home area and results are also displayed there. For more information, see Section 5.3, "Finding Objects with an Advanced Search."
A blind search will search objects without specifying search criteria. This can be done as a simple search or an advanced search. A blind search will display no more than 300 objects in the system. Oracle Entitlements Server will not display more than 300 rows in the search results.
A pop-up search opens from within the Authorization Policy or Role Mapping Policy screens, when the policy is being created or modified, by clicking the green Add button (plus sign). The pop-up search box uses a shopping cart paradigm. You add choices selected from the multiple, displayed tabs on the top of the search box to the Selected box on the bottom of the search box. All choices in the Selected box are added when you click Add.
Figure 5-1 is a screen shot of the pop-up search box for adding a Principal. You can click between the three tabs (Application Roles, External Roles, and Users), selecting one or more policy subjects and adding them to the Selected Principals box. When you click Add Principals, all choices added from all tabs will then be added to the policy.
A simple query matches names and display names only. The fields in the top portion of the Authorization Management tab in the Navigation Panel, as shown in Figure 5-2, are used to specify simple queries.
Figure 5-2 Simple Search Fields and Results Tab in Navigation Panel
To specify a simple search, proceed as follows:
Select the policy object for which you are searching from the For list.
The following object types are available:
Application Roles
External Roles
Users
Resources
Resource Types
Entitlements
Attributes
Select the search scope from the In list.
The search scope defines the level at which the search will take place. When searching for Application Roles, Resources, Resource Types, Entitlements and Attributes, the search scope is an Application. For External Roles and Users, the search scope can be Global (the default option) or the name of an Application bound to a particular Identity Directory Service profile.
Note:
In the latter case, the search will be in the identity data store that corresponds to the Identity Directory Service profile to which the Application is bound. See Section 10.3, "Configuring Identity Directory Service Profiles" for more information.
For Entitlements and Resources, the search scope is the Policy Domain within an Application. If performing a Resource search, you also select the Resource Type from the Type list.
Optionally, enter a string to match in the text box.
Wildcard characters percent (%) and asterisk (*) are supported for a simple search.
Click the arrow icon next to the text box to begin the search.
Names and display names matching the specified criteria are returned and displayed in the Search Results tab. If no search string was entered, a list of all objects of the specified type is returned.
Double-click the object to edit, right click the object and select New to create, or click the object's information icon for details.
For more information on managing policy objects, see Chapter 4, "Managing Policies and Policy Objects."
An advanced search is generally initiated by double-clicking the object name in the Navigation Panel, or from the Search link for the object in the Home area. An advanced search can use the following operators:
Starts with
Ends with
Contains
Equal to
There is no support for wildcard characters in an advanced search. In particular, the asterisk (*) or percent (%) characters are treated as plain text in any advanced search parameter. The following sections have information on searching for policy objects with an advanced search.
To search External Roles, proceed as follows:
Select from the following methods to display the Search External Roles page:
In the Navigation Panel, expand Global and double-click External Roles.
Alternately, right-click External Roles and select Open.
In the Home area, click Search - External Roles from the Search and Create section.
Enter the following query parameters:
Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to name the current query parameters.
The named search is added to the Saved Search list.
Click Search.
The results are displayed in Search Results.
To search applications, proceed as follows:
Select from the following methods to display the Search Applications page:
In the Navigation Panel, double-click Applications to display the Search Applications page.
Alternately, right-click Applications and select Open.
In the Home area, click Search - Applications from the Search and Create section.
Enter the following query parameters:
Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
The results are displayed in Search Results.
To search Resource Types, proceed as follows:
Select from the following methods to display the Search Resource Types page as in Figure 5-3.
In the Navigation Panel, expand the Application node and double-click Resource Types.
Alternately, right-click Resource Types and select Open.
In the Home area, select the appropriate Application Name and click Search under Resource Types.
Enter the following query parameters:
Display Name: Select an operator from the list and enter a string to match.
Name: Select an operator from the list and enter a string to match.
Actions: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
All results matching the query specifications are displayed in the Search Results table as illustrated in Figure 5-4.
To search Application Roles, proceed as follows:
Select from the following methods to display the Search Role Catalog page.
In the Navigation Panel, expand Applications and the named Application node applicable to the search, and double-click Role Catalog.
Alternately, right-click Role Catalog and select Open.
In the Home area, select the Application Name and click Search from Application Roles.
The Search Role Catalog tab is displayed as in Figure 5-5.
Figure 5-5 Searching for Application Roles in a Role Catalog
Enter the following query parameters:
Role Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Category: Select a Role Category from the list. (Oracle Entitlements Server only supports an equals search for Role Category.)
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
All results matching the query specifications are displayed in the Search Results table as in Figure 5-6.
Figure 5-6 Application Role Search Results
Select from the following methods to display the Search Role Mapping Policies page:
In the Navigation Panel, expand Applications and the named Application node applicable to the search, and double-click Role Mapping Policies.
Alternately, right-click Role Mapping Policies and select Open.
In the Home area, select the Application Name and click Search from Role Mapping Policies.
The Search Role Policies page is displayed as in Figure 5-7.
Figure 5-7 Searching for Role Mapping Policies
In the Search section, enter the query parameters as follows:
Effect: Select the policy effect (Grant/Deny) from the list.
Display Name: Select an operator from the list and enter a string to match.
Name: Select an operator from the list and enter a string to match.
Role: Select an operator from the list and enter a string to match.
Principal: Select an operator from the list and enter a string to match.
Target: Select an operator from the list and enter a string to match.
Click Search.
All results matching the query specifications are displayed in the Search Results table as in Figure 5-8.
Figure 5-8 Role Mapping Policy Search Results
A Resource can be hierarchical (a scenario in which the sub resource inherits attributes from the parent resource) or non-hierarchical. If a Resource is hierarchical, its tiered-organization is shown in the Search results. To search Resources, proceed as follows:
Select from the following methods to display the Search Resources page:
In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Resources.
Alternately, right-click Resources and select Open.
In the Home area, select the Application Name and click Search from Resources.
The Search Resources page is displayed as in Figure 5-9.
Enter the following query parameters:
Resource Type: Select a resource type from the list. This parameter is required.
Display Name: Select an operator from the list and enter a string to match.
Name: Select an operator from the list and enter a string to match.
Click Search.
All results matching the query specifications are displayed in the Search Results table.
To search Entitlements, proceed as follows:
Select from the following methods to display the Search Entitlements page:
In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Entitlements.
Alternately, right-click Entitlements and select Open.
In the Home area, select the Application Name and click Search from Entitlements. (In this case, the search is done only within the Default Policy Domain.)
The Search Entitlements tab is displayed in the Home area as in Figure 5-10.
Enter the following query parameters:
Entitlement Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Resource name: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
All results matching the query specifications are displayed in the Search Results table.
Authorization Policies can be searched by specifying a policy name, a principal, or a target. To search Authorization Policies, proceed as follows:
Select from the following methods to display the Search Policies page:
In the Navigation Panel, expand Applications and the named Application node applicable to the search. Expand the appropriate Policy Domain and Resource Catalog and double-click Authorization Policies.
Alternately, right-click Authorization Policies and select Open.
In the Home area, select the Application Name, and click Search under Authorization Policies. (In this case, the search is done within the Default Policy Domain.)
The Search Policies tab is displayed.
Select the search type from the Find By list.
The query parameters change according to the selection. Options include Policy, Principal or Target.
Search using the option based on your previous selection.
To Find By: Policy, enter the following query parameters.
Effect: Select the policy effect (Grant/Deny) from the list.
Display Name: Select an operator from the list and enter a string to match.
Name: Select an operator from the list and enter a string to match.
Principal: Select an operator from the list and enter a string to match.
Target: Select an operator from the list and enter a string to match.
To Find By: Principal or Find By: Target, select an operator from the list, and enter a string to match.
A Resource Type must be provided if the Resource or Resource Type operator is selected.
Click Search.
The Administration Console can display Authorization Policies created using Oracle Entitlements Server as well as the simpler Application Grants (system policies) created using Oracle Platform Security Services (OPSS). The OPSS Application Grants can be displayed for viewing, modification and deletion only. When created using OPSS, Application Grants are not given a policy name or description; they are defined with a principal and target only. Figure 5-11 is a screenshot of the Oracle Entitlements Server screen when an OPSS Application Grant is displayed.
Note the Name, Display Name and Description fields are not displayed as they would be if the Authorization Policy was created using Oracle Entitlements Server. OPSS Application Grants can only be removed or modified with Oracle Entitlements Server; they can not be created using Oracle Entitlements Server. For more information on Application Grants, see the Oracle Fusion Middleware Application Security Guide.
To search Attributes, proceed as follows:
In the Navigation Panel, expand Applications and the named Application node applicable to the search.
Expand Extensions and double-click Attributes to display the Search Attributes page.
Alternately, right-click Attributes and select Open.
Enter the following query parameters.
Display Name: Select an operator from the list and enter a string to match.
Name: Select an operator from the list and enter a string to match.
Type: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
To search application functions, proceed as follows
In the Navigation Panel, expand Applications and the named Application node applicable to the search.
Expand Extensions and double-click Functions to display the Search Functions page.
Alternately, right-click Functions and select Open.
Enter the following query parameters.
Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
To search for Users, proceed as follows:
Select from the following methods to display the Search External Roles page:
In the Navigation Panel, expand Global and double-click Users. (Alternately, right-click Users and select Open.)
In the Home area, click Search - Users from the Search and Create section.
Enter the following query parameters:
User Name: Select an operator from the list and enter a string to match.
Display Name: Select an operator from the list and enter a string to match.
Optionally, select from the Saved Search drop-down list of previously saved searches. Its query parameters automatically populate the search fields. Select Personalize... to set options for previously saved searches.
Optionally, click Save... to save the current query parameters as a Saved Search.
The search is added to the Saved Search list.
Click Search.
The results are displayed in Search Results.
This section provides information regarding the case sensitivity of names that define policy objects. The objects below are case sensitive. Those not listed are case insensitive.
Principal (defined for an Administration Role or an Application Role)
Grant Action
Permission Class Name
Resource Name
Resource Type
Resource Action
Resource Name Expression
Resource Type Resource Matcher
Policy Action
Policy Grantee
See Chapter 2, "Understanding the Policy Model" for information on the policy objects.