Before you begin
Web applications (URLs) and EJBs that are using the DDOnly security model will ignore root level policies. Modules deployed with this model use only policies from the deployment descriptors. See Manage security for Web applications and EJBs.
A root level policy applies to all instances of a specific resource type. For more information, see Types of WebLogic Resources.
Note: WebLogic Server provides a set of root level policies that you can use. See Default Root Level Security Policies.
The policy of a narrower scope overrides policy of a broader scope. For example, if you create a security policy for an EAR and a policy for an EJB that is in the EAR, the EJB will be protected by its own policy and will ignore the policy for the EAR.
To create a root level policy:
The Roles and Policies: Policies page organizes all of the domain's resources and corresponding policies in a tree control.
The Root Level Policies node lists all resource types. For a description of the types of resources that root level policies secure, see Configuration Options.
Oracle recommends that you use the Role condition where possible. Basing conditions on security roles enables you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.
For more information, see Security Policy Conditions.
The policy appears on the Roles and Policies: Policies page in the Policies table.