Configuring Simple Data Security for Job Requests

Oracle Simple Data Security enforces security authorizations for access and modification of specific data records. Oracle Simple Data Security integrates with Oracle Platform Security Services (OPSS) by granting actions to OPSS principals.

The grant defines who (the principals) can do what (the actions) on a given resource. A grant in Oracle Simple Data Security can use any enterprise user or enterprise group as principals.

In the context of Oracle Enterprise Scheduler, a job request access control data security policy comprises a grant, a grantee and a set of oracle.as.scheduler.security.RuntimeDataPermission privileges for a set of job requests as follows:

  • A grantee, represented by grantee ID such as a user or application role. The ID should match the user GUID or application role GUID retrieved from Oracle Fusion Middleware.

You can manage the job request access control data security policy using Oracle Enterprise Manager Fusion Middleware Control.

The following behaviors are in place by default:

  • A user by default can see only the requests they submitted.

  • If a user can see a request, then they can see the request logs.

  • If a user can see a request, and if the request does not run as elevated privilege, then the user sees the request output.

  • If a user can see a request, and if the request run as elevated user, the user is not able to see the request output.

  • A request run-as user (elevated user, if specified) is able to see the request, request log, and request output.

  • An Administrators group user (for example, "weblogic") is able to see all the requests and request logs.

  • Administrators user is not able to see request output unless the requests were submitted and run as himself.

Oracle Simple Data Security Actions

You can use Enterprise Manager to create functional and data security policies for Oracle Enterprise Scheduler. There, you can associate actions with roles to create a policy.

Table 4-7 lists available Simple Data Security actions.

Table 4-7 Grant Actions for Data Security

Action Effect

ESS_REQUEST_READ

Read the request, get request state, and get details.

ESS_REQUEST_UPDATE

Update the request.

ESS_REQUEST_HOLD

Hold request execution.

ESS_REQUEST_CANCEL

Cancel a request execution.

ESS_REQUEST_LOCK

Lock a request.

ESS_REQUEST_RELEASE

Release the lock on a request.

ESS_REQUEST_DELETE

Delete a request.

ESS_REQUEST_PURGE

Purge a request.

ESS_REQUEST_OUTPUT_CREATE

Create the output of a request.

ESS_REQUEST_OUTPUT_READ

View the output of a request.

ESS_REQUEST_OUTPUT_DELETE

Delete the output of a request.

ESS_REQUEST_OUTPUT_UPDATE

Update the output of a request.

How to Create Data Security Policies for Oracle Enterprise Scheduler Components

You can use Enterprise Manager to create functional and data security policies for Oracle Enterprise Scheduler.

  1. From the navigation pane, expand the WebLogic Domain folder and select the domain for which you're creating policies.
  2. From the WebLogic Domain menu, select Security and then select Application Policies.

    The Application Policies page displays.

  3. In the Search section, from the Application Stripe dropdown, select the application stripe with which you want to work.
  4. Click Create to begin granting permissions to certain users, groups, or application roles.

    The Create Application Grant page appears.

  5. In the Create Application Grant page, in the Grantee section, click Add.
  6. In the Add Principal window, from the Type dropdown, select a type of principal, then enter a principal name or display name and click the search button to find the principal you want to add.
  7. Under Search Principals, click the principal you want, then click OK.
  8. In the Permissions section, click Add.
  9. In the Search section, click Permissions or Resource Types depending on which you wish to search.
  10. If you searched permissions, select oracle.as.scheduler.security.RuntimeDataPermission from the Permission Class dropdown. If you searched resource types, select ESSRequestSimpleResourceType from the Resource Type dropdown.
  11. Click the Search button.
  12. Under Search Results, select a resource, then click Continue.
  13. In the Add Permission dialog, select the permission actions you want to grant.
  14. Click Select.