This chapter documents the Access Policies page in the Mobile Security Access Server console. To open this page from the Mobile Security Launch Pad, select Access Policies in the Mobile Security Access Server section.
This chapter contains the following topics:
Use the Access Policies page to:
Search for policies.
Navigate to a page where you can create a policy.
Navigate to a page where you can view an existing policy.
Navigate to a page where you can make changes to a policy.
Import or export one or more policies.
Click Assertion Templates to display the Assertion Templates page.
The Access Policies page is arranged in the following sections:
Use the Search section of the Access Policies page to perform an advanced search for policies in the repository. The results that are returned are the policies that meet the conditions specified in the Name and Category fields
| Element | Description |
|---|---|
|
Name |
Enter a policy name or part of a name and select the operator to use to refine the search. Valid options are:
You can use percent |
|
Category |
Select the policy category for which you want to search. Valid values include: All, Management, and Security. |
| Search | Perform the search using the specified parameters. |
| Reset | Clear the specified search parameters. |
The Policies table displays the policies in the repository that match the criteria specified in the Search fields. The following information is provided for each policy.
| Element | Description |
|---|---|
|
Name |
Unique identifier for the policy. The policy name includes the directory in which the policy is located. By default, all predefined policies are located in the oracle directory, and, therefore, oracle/ is prefixed to the beginning of each policy name. |
|
Category |
Category of the policy. A policy may belong to only one category, and may only contain assertions that belong to the selected category. |
|
Status |
Field that specifies whether the policy is enabled or disabled. |
|
Description |
Brief description of the policy behavior. |
Perform the following actions to manage access policies.
| Action | Description |
|---|---|
|
Actions |
Drop-down menu that provides an alternate method to perform the available actions. |
|
View |
Use this menu as follows:
|
|
Create |
Create a new policy. Click Create to display the Policy Details page, which you can use to create the new policy.
Note: You can create policies in the Security and Management categories only. |
|
Create Like |
Create a new policy that is based on an existing policy. Select a policy from the Policies table and click Create Like to display the Policy Details page.
Note: You can copy and create new policies in the Security and Management categories only. |
|
Open |
Use this action to display the Policy Details page where you can review and edit the details of a policy. |
|
Delete |
Delete a policy. Select a policy from the Policies table, and click Delete. |
|
Export |
Export a zip archive containing one or more policies to your local directory. You can use this feature in combination with Import to move one or more policies between different repositories.
Select one or more policies from the Policies table and click Export to save the zip archive to your file system. The directory structure for each policy is maintained in the archive file using the following structure:
|
|
Import |
Import a zip archive containing one or more policies. You can use this feature in combination with Export to move one or more policies between different repositories. Click Import, then click Choose File to locate the zip archive in your local directory that contains the policies to be imported, and click Import.
An Information window is displayed listing the policies that were imported. Click OK to close the window. The imported policies are added to the list of policies in the Policies table. Notes: The policies to be imported must use the following directory structure:
If an error is encountered with one of the policies, the import process stops. For example, if there are five policies to be imported and an error is encountered in the third one, the first two will be imported but the remaining policies will not. |
|
Detach |
Click the Detach option to detach the policies table from the console pane and expand to the full width of the console window. Use the Attach option or click the Close icon to reattach the window to the console pane. |
"Managing Policies and Assertion Templates" in Administering Oracle Mobile Security Access Server
Use the Policy Details page to:
Create a valid new policy, from scratch, with no attributes predefined.
Create a new policy using an existing policy as a template that you edit.
View and edit an existing policy.
Navigate to this page using Create, Create Like, or Open on the Access Policies page.
The Policy Details Page is arranged in the following tabs:
The General tab of the Policy Details page provides general summary information about the policy, such as the policy name, category, description, if the policy is enabled or disabled, optimization settings, and so on.
| Element | Description |
|---|---|
|
Display name |
Name used to identify the policy in the user interface.
If you clicked Create Like to get to this page, then |
|
Name |
Unique name used as an identifier for the policy. The name includes the full path to the policy. All predefined policies are in the oracle directory. Therefore, the names of all predefined policies begin with oracle/, for example, oracle/wss_username_token_service_policy.
If you clicked Create Like to get to this page, then The valid characters for directory and policy names are:
Note: The first character in the name cannot be a hyphen or space. In addition, you cannot prefix the name of a policy with Encode as much information as possible into the name of the policy so that you can tell, at a glance, what the policy does. For example, the path location, any web services standard (such as Note: You cannot edit the name of a policy after the policy is created. To change the policy name you need to make a copy of the policy and assign it a different name. |
|
Category |
Category to which the policy belongs. A policy may belong to only one category, and may only contain assertions that belong to the selected category.
Valid values include: Management and Security. |
|
Description |
Text that provides a brief explanation of the policy behavior. If you are creating or editing a policy, this field is optional. |
|
Enabled |
Flag that specifies whether the policy is enabled or not. By default, the policy is enabled. Specific assertions within a policy can be enabled or disabled on the Assertions tab. |
Attachment Attributes The Attachment Attributes section specifies the type of policy subjects to which the policy can be attached and the number of subjects to which the policy is attached, if applicable.
| Element | Description |
|---|---|
|
Applies To |
Type of endpoints to which the policy can be attached. Valid values include: All and Service Bindings. The Service Bindings choice requires further specification with the Service Category field. |
| Service Category | This option applies only when Applies To is set to Service Bindings. When the policy can be attached to URLs, use the Service Category option to further specify whether the policy can be attached to services (Service Endpoint), clients (Client), or both. |
Version Information The Version Information section provides details of a policy version in read-only mode.
| Element | Description |
|---|---|
|
Version Number |
Version number of the currently active policy. |
| Last Updated | Timestamp of the last update to the policy. |
|
Updated By |
User who last updated the policy. |
| Versioning History | Click this link to view the version history of a policy in the Policy Version History page. Whenever a change to a policy is saved, a new version of the policy is automatically created and the version number is incremented. |
The Assertions tab of the Policy Details page provides the ability to add or edit assertions in a policy.
If you accessed this page by selecting Create Like or Open on the Access Policies page, the Assertions table lists the assertions that are contained in the base policy.
If you are creating a new policy, you must add any required assertions.
The Assertions table provides the following information for each assertion.
| Element | Description |
|---|---|
|
Name |
Name of the assertion. The assertion name must be unique within the policy. If you are adding the assertion to the policy using an assertion template, this name is assigned when the assertion is added. |
|
Category |
Category of the assertion. You can add only assertions that are in the same category as the category selected in the General tab. For example, if the policy category is set to Security, then only Security assertions can be added to the policy.
The Security category has subcategories: security/authentication, security/msg-protection, security/authorization, and security/logging. A security policy can contain multiple security assertions; however, there can be only one assertion of each authentication, msg-protection, or authorization subcategory in a policy. This restriction can be altered for these subcategories, however, by creating an OR group, which can have multiple security assertions from the same subcategory, but only one of which can be executed. More. A security policy can have multiple assertions from the security/logging subcategory. |
|
Type |
Type of assertion within a category. For example, wss-10-saml-token is a type of authentication within the security/authentication category. |
| Options | Indicates whether the Enforced and/or Advertised options are set for the assertion. When one of those options is set, as described below, the icon associated with the option appears in this field. |
|
Enforced |
Flag that specifies whether the policy assertion is enabled. The default is enabled. |
|
Advertised |
Reserved for future use. |
Select an assertion in the Assertions table to display information about it.The details are displayed below the table.
Perform the following actions to manage the assertions in the policy.
| Action | Description |
|---|---|
|
Add |
Add assertions or OR Groups to the policy. Select Assertion, OR Group, or Assertion to OR Group from the drop-down menu. |
|
Assertion |
Add one or more assertions to the policy. The Add Assertion page is displayed with a list of all the available assertions. Use this page to search for existing assertion templates and use them to add assertions to the policy. |
|
Add Assertion |
Provide search parameters in the Name and Category fields and click Search. The results that match the search criteria are displayed in the Search Results table.
In the Search Results table, select the assertion or assertions to be added to the policy and click Add Selected. To add all the listed assertions to the policy, click Add All. The selected assertions are displayed in the Selected Assertion Templates table. In the Selected Assertion Templates table, review the selections. To remove one or more assertions from this table, click Remove Selected or Remove All. When you have confirmed the assertion selection, click Add Assertion. |
|
OR Group |
Add a subset of security policy assertions. An OR group enables you to define multiple security subcategory options, but only one of which can be executed. For example, a subset can contain both a SAML Token and a Username Token security/authentication subcategory assertion, so a web service application can use either one or the other, but not both.
You can only combine assertions that are in the same security category set in the Policy Information section. For example, if the policy category is set to the security/authentication subcategory, then only those assertion types can be added to the Only-One Subset. In addition, a subcategory that is used within the Only-One Subset cannot also be present outside of the Only-One Subset. Note: Only service-side policies can contain OR groups. |
|
Assertion to OR Group |
Add one or more assertions to the OR group. The Add Assertion page is displayed with a list of all the available assertions. Use this page to search for existing assertion templates and use them to add assertions to the OR group. |
|
Add Assertion |
Provide search parameters in the Name and Category fields and click Search. The results that match the search criteria are displayed in the Search Results table.
In the Search Results table, select the assertion or assertions to be added to the OR group and click Add Selected. To add all the listed assertions to the OR group, click Add All. The selected assertions are displayed in the Selected Assertion Templates table. In the Selected Assertion Templates table, review the selections. To remove one or more assertions from this table, click Remove Selected or Remove All. When you have confirmed the assertion selection, click Add Assertion. |
|
Delete |
Delete an assertion from the policy. Select the assertion to be deleted and click Delete. |
|
Move Up/Down |
Reorder the assertions. Assertions are executed in the order in which they appear in the list. Select the assertion in the list and click Move Up or Move Down to reorder the assertion on the list. |
|
Configuration |
Use this button to configure the property overrides for the selected assertion.
Click Add to add a new property and complete the Name and Value fields. To delete a configuration property, select the property and click Delete. Click OK when you are done editing the configuration properties. |
The Details section provides the ability to view and specify the settings for the selected assertion. The settings displayed in the this section vary depending on the assertion selected.
After creating a new policy, or cloning or editing an existing policy, perform the following actions to validate, and then save the policy.
| Action | Description |
|---|---|
| Validate | If you clicked Open to view or edit an existing policy, click Validate to dynamically check whether the modified policy adheres to the policy subject and policy rules. More]
If the policy is invalid, it is disabled as a precaution. After you correct the validation issues, enable the policy. |
| Save | If you clicked Open to view or edit an existing policy, after validating the policy, click Save to save the changes to the policy.
If you clicked Create or Create Like to create a new policy or clone an existing policy, click Save to validate and save the policy and return to the Access Policies page. If the policy is invalid, it is disabled as a precaution. After you correct the validation issues, enable the policy. |
| Cancel | Click Cancel to exit the Policy Details page and return to the Access Policies page. |
"Managing Policies" in Administering Oracle Mobile Security Access Server
Use the Policy Version History page to:
Review all versions of a policy.
View the details of any policy version.
Activate any version of a policy.
Delete any version of a policy.
Export a version of a policy.
Notes:
You cannot edit a policy from the Policy Version History page. You must edit and save the policy in the Policy Details page.The Policy Version history page provides details about each of the policy versions.
| Element | Description |
|---|---|
|
Name |
Name of the policy to which the policy versions apply. The policy name includes the directory in which the policy is located. By default, all predefined policies are located in the oracle directory, and, therefore, oracle/is prefixed to the beginning of each policy name. |
|
Display Name |
Name used to reference the policy in the console. |
Perform the following actions to manage policy versions.
| Action | Description |
|---|---|
|
View |
Use the Columns and Reorder Columns... options to specify the columns that are visible and their order. |
|
Make Current |
Activate a previous version of a policy. Select a version in the policy version table and click Make Current. The policy version that is activated is moved to the top of the list and becomes the current active policy. The current version number is incremented by 1. The earlier version of the policy is retained. |
|
Delete |
Delete a policy version. Select the policy version from the policy version table, and click Delete.
You can delete all versions except the active policy version. To delete all versions of the policy, including the active version, you must delete the policy from the Access Policies page. |
|
Export |
Export a a zip archive containing the version of the policy to your local directory. Select the policy version from the policy version table, and click Export to save the zip archive to your file system |
Policy details, in read-only format, are provided for the selected version. The policy details section of the page is arranged in the following tabs:
The General tab provides general summary information about the policy, such as the policy name and display name, category, description, if the policy is enabled or disabled, optimization settings, and so on.
| Element | Description |
|---|---|
|
Display name |
Name used to identify the policy in the console. |
|
Name |
Unique name used as an identifier for the policy. The name includes the full path to the policy. All predefined policies are in the oracle directory. Therefore, the names of all predefined policies begin with oracle/, for example, oracle/wss_username_token_service_policy. |
|
Category |
Category to which the policy belongs. A policy may belong to only one category, and may only contain assertions that belong to the selected category.
Valid values include Management and Security. |
|
Description |
Text that provides a brief explanation of the policy behavior. |
|
Enabled |
Flag that specifies whether the policy is enabled or not. By default, the policy is enabled. |
Attachment Attributes The Attachment Attributes section specifies the type of policy subjects to which the policy can be attached and the number of subjects to which the policy is attached, if applicable.
| Element | Description |
|---|---|
|
Applies To |
Type of policy subjects to which the policy can be attached. Valid values include: All and Service Bindings. The Service Bindings choice requires further specification with the Service Category field. |
| Service Category | This option applies only when Applies To is set to Service Bindings. When the policy can be attached to URLs, the Service Category option is used to further specify whether the policy can be attached to services (Service Endpoint), clients (Client), or both. |
Version Information The Version Information section provides details of a policy version in read-only mode.
| Element | Description |
|---|---|
|
Version Number |
Version number of the currently active policy. |
| Last Updated | Timestamp of the last update to the policy. |
|
Updated By |
User who last updated the policy. |
The Assertions tab provides the ability to view the assertions in the policy.
The Assertions table provides the following information for each assertion.
| Element | Description |
|---|---|
|
Name |
Name of the assertion. The assertion name must be unique within the policy. |
|
Category |
Category of the assertion. A policy can only contain assertions that are in the same category as the category specified in the General tab. For example, if the policy category is set to Security, then only Security assertions can be contained in the policy.
The Security category has subcategories: security/authentication, security/msg-protection, security/authorization, and security/logging. A security policy can contain multiple security assertions; however, there can be only one assertion of each authentication, msg-protection, or authorization subcategory in a policy. This restriction can be altered for these subcategories, however, by creating an OR group, which can have multiple security assertions from the same subcategory, but only one of which can be executed. More. A security policy can have multiple assertions from the security/logging subcategory. |
|
Type |
Type of assertion within a category. For example, an assertion may belong to the security/authentication category, and have a type wss10-saml-token. |
| Options | Indicates whether the Enforced and/or Advanced options are set for the assertion. When one of those options is set, as described below, the icon associated with the option appears in this field. |
|
Enforced |
Flag that specifies whether the policy assertion is enabled. The default is enabled. |
|
Advertised |
Reserved for future use. |
The Details section provides the ability to view the settings for the selected assertion. Assertion template details vary based on the type of assertion. For example, templates that include message protection will include settings that are specific to message security. Details for the individual assertion templates are described in Policy and Assertion Template Reference for Mobile Security Access Server.
"Versioning Policies" in Administering Oracle Mobile Security Access Server
Use the Assertion Templates page to:
Search for assertion templates.
Clone an assertion template.
View and edit an existing assertion template.
Import or export one or more assertion templates.
The Assertion Templates page is arranged in the following sections:
Use the Search section of the Assertion Templates page to perform an advanced search for assertion templates in the repository. The results that are returned are the assertion templates that meet the conditions specified in the Name and Category fields
| Element | Description |
|---|---|
|
Assertion Name |
Enter an assertion template name or part of a name and select the operator to use to refine the search. Valid options are:
You can use percent |
| Category | Select the assertion template category for which you want to search. |
| Search | Perform the search using the specified parameters. |
| Reset | Clear the specified search parameters. |
The Assertion Templates table displays the assertion templates in the repository that match the criteria specified in the Search fields. The following information is provided for each assertion template.
| Element | Description |
|---|---|
| Name | Unique name used as an identifier for the assertion template. The assertion template name includes the directory in which the assertion template is located. By default, all predefined assertion templates are located in the oracle directory, and, therefore, oracle/is prefixed to the beginning of each assertion template name. Assertion templates are identified by the suffix _template at the end, for example, oracle/wss10_message_protection_service_template. |
|
Category |
Category of the assertion template. An assertion template may belong to only one category, and may only contain assertions that belong to the selected category. |
| Description | Brief description of the assertion template behavior. |
Perform the following actions to manage assertion templates.
| Action | Description |
|---|---|
|
Actions |
Drop-down menu that provides an alternate method to perform the available actions. |
|
View |
Use this menu as follows:
|
|
Create Like |
Create a new assertion template that is based on an existing assertion template. Select an assertion template from the Assertion Templates table and click Create Like to display the Assertion Template Details page. |
|
Open |
Use this action to display the Assertion Template Details page where you can review and edit the details of an assertion template.
Note: Oracle recommends that you do not edit the predefined assertion templates so that you will always have a known set of valid templates. |
|
Delete |
Delete an assertion template. |
|
Export |
Export a zip archive containing one or more assertion templates to your local directory. You can use this feature in combination with Import to move one or more assertion templates between different repositories.
Select one or more assertion templates from the Assertion Templates table and click Export to save the zip archive to your file system. The directory structure for each assertion template is maintained in the archive file using the following structure:
where |
|
Import |
Import a zip archive containing one or more assertion templates. You can use this feature in combination with Export to move one or more assertion templates between different repositories. Click Import, then click Browse to locate the zip archive in your local directory that contains the assertion templates to be imported, and click Import.
An Information window is displayed listing the assertion templates that were imported. Click OK to close the window. The imported assertion templates are added to the list of templates in the Assertion Templates table. Notes: The assertion templates to be imported must use the following directory structure:
If an error is encountered with one of the assertion templates, the import process stops. For example, if there are five assertion templates to be imported and an error is encountered in the third one, the first two will be imported but the remaining assertion templates will not. |
|
Detach |
Click the Detach option to detach the assertion templates table from the console pane and expand to the full width of the console window. Use the Attach option or click the Close icon to reattach the window to the console pane. |
"Managing Policy Assertion Templates" in Administering Oracle Mobile Security Access Server
Use the Assertion Template Details page to:
Create a new assertion template using an existing assertion template as a template that you edit.
View or edit an existing assertion template.
Validate an assertion template.
The assertion template details page provides a detailed description of the selected assertion. The assertion template name is displayed at the top of the page.
If you accessed this page using the Create Like button, then _Copy is appended to the name of the cloned assertion template.
| Element | Description |
|---|---|
|
Name |
Unique name used as an identifier for the assertion template. The assertion template name includes the directory in which the assertion template is located. By default, all predefined assertion templates are in the oracle directory, and, therefore, oracle/is appended to the beginning of the assertion template name. The assertion templates are identified by the suffix _template at the end, for example, oracle/wss10_message_protection_service_template.
It is recommended that you follow the recommended naming conventions, and keep any assertion templates that you create in a directory that is separate from the |
|
Display Name |
Name used to reference an assertion template in the console. |
|
Description |
Brief description of the assertion template behavior. |
|
Category |
Category of the assertion template. An assertion template may belong to only one category, and may only contain assertions that belong to the selected category. |
|
Type |
Type of assertion within a category. For example, an assertion may belong to the security/authentication category, and have a type wss10-saml-token. |
|
Configuration |
Click to display the configuration properties for the assertion template. If you are cloning or editing an assertion template, you can specify values for the configuration properties in the Configuration pop-up window. How? |
|
Settings |
Configuration settings that define the behavior of the assertion. The settings vary based on the type of assertion. For example, templates that include message protection will include settings that are specific to message security. Details for the individual assertion templates are described in Policy and Assertion Template Reference for Mobile Security Access Server. |
Validate and Save an Assertion Template
After cloning or editing an assertion template, perform the following actions to save and validate the assertion template.
| Action | Description |
|---|---|
| Validate | If you clicked Open to view or edit an assertion template, click Validate to dynamically check whether the modified assertion template adheres to the validation rules. More]
Note: When you validate an assertion template you ensure that the assertion contained in the template has the correct syntax and contains all the information that is required for it to function properly during runtime. If the policy is invalid, it is disabled as a precaution. After you correct the validation issues, enable the policy. |
| Save | If you clicked Open to view or edit an existing assertion template, after validating the template, click Save to save the changes.
If you clicked Create or Create Like to create a new assertion template or clone an existing template, click Save to validate and save the assertion template and return to the Assertion Templates page. If the assertion template is invalid, it is disabled as a precaution. After you correct the validation issues, enable the template. |
| Cancel | Click Cancel to exit the Assertion Template Details page and return to the Assertion Templates page. |
"Managing Policy Assertion Templates" in Administering Oracle Mobile Security Access Server