This appendix describes the hierarchy of elements and attributes in the system-jazn-data.xml
and jazn-data.xml
files that specify file identity stores. File identity stores are supported in Java SE applications only.
This appendix includes the following topics:
This section describes the element hierarchy of the system-jazn-data.xml
and jazn-data.xml
files. The <jazn-data>
element is the root element. The elements directly under this root element are:
<jazn-realm>
<policy-store>
<jazn-policy>
The <jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
file as subelements of the <policy-store>
element, but they are for backward compatibility only.
Table B-1 Hierarchy of Elements in system-jazn-data.xml and janz-data.xml
Element | Description |
---|---|
<jazn-data> |
The top-level element in the |
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1} |
Specifies security realms, and the users and enterprise groups included in each realm. |
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} | <app-role> {1 or more} | <name> {1} | <class> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <guid> {0 or 1} | <uniquename> {0 or 1} | <extended-attributes> {0 or 1} | | <attribute> {1 or more} | | <name> {1} | | <values> {1} | | <value> {1 or more} | <members> {0 or 1} | <member> {1 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} <role-categories> {0 or 1} | <role-category> {1 or more} | <name> {1} | <display-name> {0 or 1} | <description> {0 or 1} | <members> {0 or 1} | <role-name-ref> {1} <resource-types> {0 or 1} | <resource-type> {1 or more} | <name> {1} | <display-name> {1} | <description> {0 or 1} | <provider-name> {1} | <matcher-class> {1} | <actions-delimiter> {1} | <actions> {0 or more} <resources> {0 or 1} | <resource> {1 or more} | <name> {1} | <display-name> {1} | <description> {0 or 1} | <type-name-ref> {1} <permission-sets> {0 or 1} | <permission-set> {1 or more} | <name> {1} | <member-resources> {1 or more} | <member-resource> {1 or more} | <resource-name> {1} | <type-name-ref> {1} | <actions> {0 or 1} <jazn-policy> {0 or 1} | <grant> {0 or more} | <description> {0 or 1} | <grantee> {0 or 1} | | <principals> {0 or 1} | | <principal> {0 or more} | | <name> {1} | | <class> {1} | | <uniquename> {0 or 1} | | <guid> {0 or 1} | | <codesource> {0 or 1} | | <url> {1} | <permissions> {0 or 1} | <permission> {1 or more} | <class> {1} | <name> {0 or 1} | <actions> {0 or 1} |
Configures application-level policies. Define roles at the application level, and then define members in the roles. Members of a role are users and other roles. When
|
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} | <principals> {0 or 1} | <principal> {0 or more} | <name> {1} | <class> {1} | <uniquename> {0 or 1} | <guid> {0 or 1} | <codesource> {0 or 1} | <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1} <permission-sets> | <permission-set> | <name> |
When the
|
The following sections describe the elements and attributes used in the system-jazn-data.xml
and jazn-data.xml
files:
This element specifies the operations permitted by the associated permission class. Values are case-sensitive and are specific to each permission implementation.
Optional, zero or one:
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the character used to separate the actions of the associated resource type.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
For an example, see <resource-type>.
This element specifies an application role.
Required subelements specify the following:
<name>
specifies the name of the application role.
<class>
specifies the fully qualified name of the class implementing the application role.
Optional subelements can specify the following:
<description>
provides more information about the application role.
<display-name>
specifies a display name for the application role, such as for use by GUI interfaces.
<guid>
specifies a globally unique identifier to reference the application role. This is for internal use only.
<members>
specifies the users, roles, or other application roles that are members of this application role.
<uniquename>
specifies a unique name to reference the application role. This is for internal use only.
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <policy-store>
for examples.
This element specifies a set of application roles.
Optional, zero or one:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store>
for examples.
This element specifies roles and policies for an application.
Required subelements specify the following information for an application:
<name>
specifies the name of the application.
Optional subelements can specify the following:
<description>
provides information about the application and its roles and policies.
<app-roles>
specifies any application-level roles
<jazn-policy>
specifies any application-level policies.
<app-roles>
, <description>
,, <jazn-policy>
, <name>
, <permission-sets>
, <resource-types>
, <resources>
, <role-categories>
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ...
See <policy-store>
for examples.
This element specifies a set of applications.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
See <policy-store>
for an example.
This element specifies an attribute of an application role.
Required, one or more:
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <guid> {0 or 1}
This element specifies several values depending on its location in the configuration file:
Within the <app-role>
element, <class>
specifies the fully qualified name of the class implementing the application role.
<app-role> ... <class>oracle.security.jps.service.policystore.ApplicationRole</class>
Within the <member>
element, <class>
specifies the fully qualified name of the class implementing the role member.
<app-role> ... <members> <member> ... <class> weblogic.security.principal.WLSUserImpl </class>
Within the <permission>
element (for granting permissions to a principal), <class>
specifies the fully qualified name of the class implementing the permission. Values are case-insensitive.
<jazn-policy> <grant> ... <permissions> <permission> <class>java.io.FilePermission</class>
Within the <principal>
element (for granting permissions to a principal), it specifies the fully qualified name of the principal class, which is the class instantiated to represent a principal granted a set of permissions.
<jazn-policy> <grant> ... <grantee> <principals> <principal> ... <class>oracle.security.jps.service.policystore.TestUser</class>
Required, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} ... <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
and <policy-store>
for examples.
This element specifies the URL of the code to which permissions are granted.
The policy configuration can also include a <principals>
element, in addition to the <codesource>
element. Both elements are children of a <grantee>
element and they specify who or what the permissions in question are being granted to.
For variables that can be used in the specification of a <codesource>
URL, see <url>.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the authentication password for a user. The credentials are, by default, in obfuscated form.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1}
See <jazn-realm>
for examples.
This element specifies a text string that provides textual information about an item.
<app-role>
, <application>
, <grant>
, <role>
, or <user>
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} ... <description> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} ... <description> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} ... <description> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1}
The fmwadmin
user might have the following description:
<description>User with administrative privileges</description>
See <jazn-realm>
for additional examples.
This element specifies the name of an item. Depending on the parent element, an item can be an application role, user, or enterprise group.
<app-role>
, <role>
, or <user>
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1}
The fmwadmin
user might have the following display name:
<display-name>Administrator</display-name>
See <jazn-realm>
for additional examples.
This element specifies attributes of an application role.
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship For the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
This element specifies the recipient of the grant - a codesource, or a set of principals, or both- and the permissions assigned to it.
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element, in conjunction with a parallel <permissions>
element, specifies who or what the permissions are granted to: a set of principals, a codesource, or both.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element is for internal use only. It specifies a globally unique identifier (GUID) to reference the item.
Depending on the parent element, the item referenced may be an application role, application role member, principal, enterprise group, or user, and it uniquely identifies the item. GUIDs are sometimes generated and used internally by OPSS.
<app-role>
, <member>
, <principal>
, <role>
, or <user>
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} ...
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} ...
See <jazn-realm>
for examples.
This element specifies the top-level element in the system-jazn-data.xml
file.
Name | Description |
---|---|
schema-major-version |
Specifies the major version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 11 for use with Oracle Fusion Middleware 11g. |
schema-minor-version |
Specifies the minor version number of the system-jazn-data.xml XSD. The value of this attribute is fixed at 0 for use with the Oracle Fusion Middleware 12.2.1 implementation. |
Required, one only
<jazn-data ... > {1} <jazn-realm> {0 or 1} ...
<policy-store> {0 or 1} ...
<jazn-policy> {0 or 1} ...
This element specifies policy grants that associate grantees (principals or codesources) with permissions.
This element can appear in two different locations in the system-jazn-data.xml
file:
Under the <jazn-data>
element, it specifies global policies.
Under the <application>
element, it specifies application-level policies.
Optional, zero or one
<jazn-data> {1} <jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} ... <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
This is the first example of jazn-policy:
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jack</name> </principal> <principal> <class> oracle.security.jps.service.policystore.TestUser </class> <name>jill</name> </principal> </principals> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> <permission> <class>oracle.security.jps.JpsPermission</class> <name>getContext</name> </permission> <permission> <class>java.io.FilePermission</class> <name>/foo</name> <actions>read,write</actions> </permission> </permissions> </grant> </jazn-policy>
This is the second example of jazn-policy:
<jazn-policy> <grant> <grantee> <principals> <principal> <class> oracle.security.jps.service.policystore.TestAdminRole </class> <name>Farm=farm1,name=FullAdministrator</name> </principal> </principals> <codesource> <url>file://some-path</url> </codesource> </grantee> <permissions> permission> <class>javax.management.MBeanPermission</class> <name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name> <actions>invoke</actions> </permission> </permissions> </grant> </jazn-policy>
This element specifies security realms and the users in each of them. It is the top-level element for user and role information.
Optional, zero or one
<jazn-data> {1} <jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
<jazn-data ... > ... <jazn-realm default="jazn.com"> <realm> <name>jazn.com</name> <users> <user deactivated="true"> <name>anonymous</name> <guid>61FD29C0D47E11DABF9BA765378CF9F3</guid> <description>The default guest/anonymous user</description> </user> <user> <name>developer1</name> <credentials>!password</credentials> </user> <user> <name>developer2</name> <credentials>!password</credentials> </user> <user> <name>manager1</name> <credentials>!password</credentials> </user> <user> <name>manager2</name> <credentials>!password</credentials> </user> <!-- these are for testing the admin role hierachy. --> <user> <name>farm-admin</name> <credentials>!password</credentials> </user> <user> <name>farm-monitor</name> <credentials>!password</credentials> </user> <user> <name>farm-operator</name> <credentials>!password</credentials> </user> <user> <name>farm-auditor</name> <credentials>!password</credentials> </user> <user> <name>farm-auditviewer</name> <credentials>!password</credentials> </user> </users> <roles> <role> <name>users</name> <guid>31FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>users</display-name> <description>users role for rmi/ejb access</description> </role> <role> <name>ascontrol_appadmin</name> <guid>51FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl App Admin Role</display-name> <description> Application Administrative role for ASControl </description> </role> <role> <name>ascontrol_monitor</name> <guid>61FD29C0D47E11DABF9BA765378CF9F7</guid> <display-name>ASControl Monitor Role</display-name> <description>Monitor role for ASControl</description> </role> <role> <name>developers</name> <members> <member> <type>user</type> <name>developer1</name> </member> <member> <type>user</type> <name>developer2</name> </member> </members> </role> <role> <name>managers</name> <members> <member> <type>user</type> <name>manager1</name> </member> <member> <type>user</type> <name>manager2</name> </member> </members> </role> </roles> </realm> </jazn-realm> ... </jazn-data>
This element specifies the fully qualified name of the class for a resource type. Queries for resources of this type delegate to this class. Values are case-sensitive.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {1 or more}
For an example, see <resource-type>.
This element specifies the members of a set, such as a <role>
or an<app-role>
element:
When under a <role>
element, it specifies a member of the enterprise group. A member can be a user or another enterprise group. The <name>
subelement specifies the name of the member, and the <type>
subelement specifies whether the member type (a user or an enterprise group).
When under an <app-role>
element, it specifies a member of the application role. A member can be a user, an enterprise group, or an application role. The <name>
subelement specifies the name of the member, and the <class>
subelement specifies the class that implements it. The member type is determined with the <class>
element.
When under a <role>
element, the <member>
element has the following child elements: <name>
, <type>
When under an <app-role>
element, the <member>
element has the following child elements: <name>
, <class>
, <uniquename>
, <guid>
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm>
and <policy-store>
for examples.
This element specifies resources for a permission set.
Required within <member-resources>, one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
For an example, see <permission-set>.
This element specifies a set of member resources.
Required within <permission-sets>; one or more.
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
For an example, see <permission-set>.
This element specifies a set of members.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
See <jazn-realm>
and <policy-store>
for examples.
This element has different uses, depending on its location in the file:
Within the <app-role>
element, it specifies the name of an application-level role in the policy configuration. For example:
<name>Farm=farm1,name=FullAdministrator</name>
Or a simpler example:
<name>Myrolename</name>
Within the <application>
element, it specifies the policy context identifier.
Within the <attribute>
element, it specifies the name of an additional attribute for the application-level role.
Within the <member>
element, it specifies the name of a member of an enterprise group or application role (depending on where the <member>
element is located). For example, if the fmwadmin
user is a member of the role:
<name>fmwadmin</name>
Within the <owner>
element, it specifies the name of an owner of an enterprise group. For example:
<name>mygroupowner</name>
Within the <permission>
element, as applicable, it specifies the name of a permission meaningful to the permission class. Values are case-sensitive. For example:
<name> oracle.as.management.topology.mbeans.InstanceOperations#getAttribute </name>
Or:
<name>getContext</name>
Within the <principal>
element (for granting permissions to a principal), it specifies the name of a principal within the given realm. For example:
<name>Administrators</name>
Within the <realm>
element, it specifies the name of a realm. For example:
<name>jazn.com</name>
Within the <role>
element, it specifies the name of an enterprise group in a realm. For example:
<name>Administrators</name>
Within the <user>
element, it specifies the name of a user in a realm. For example:
<name>fmwadmin</name>
Within the <resource-type>
element, it specifies the name of a resource type and is required. For example:
<name>restype1</name>
<app-role>
, <application>
, <attribute>
, <member>
, <owner>
, <permission>
, <principal>
, <realm>
, <role>
, or <user>
Required within any parent element other than <permission>
, one only. Optional within <permission>
, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
<application> <name>peanuts</name> <app-roles> <app-role> <name>snoopy</name> <display-name>application role snoopy</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <members> <member> .......
See <jazn-policy>
, <jazn-realm>
, and <policy-store>
for examples.
This element specifies the owner of the enterprise group, where an owner has administrative authority over the role.
An owner is a user or another enterprise group. The <type>
subelement specifies the owner's type. The concept of role (group) owners specifically relates to BPEL or Oracle Internet Directory functionality. For example, in BPEL, a role owner has the capability to create and update workflow rules for the role.
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies a set of owners.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
This element specifies the permission to grant to grantees, where a grantee is a set of principals, a codesource, or both, as part of a policy configuration.
Required within parent element, one or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies a set of permissions.
The <permissions>
element (used in conjunction with a parallel <grantee>
element) specifies the permissions being granted, with a set of <permission>
subelements.
The system-jazn-data.xml
schema definition does not specify this as a required element, but OPSS runtime requires its use within any <grant>
element.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
A permission set (or entitlement) specifies a set of permissions.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
The following example illustrates the configuration of a permission set:
<permission-sets> <permission-set> <name>permsetName</name> <member-resources> <member-resource> <type-name-ref>TaskFlowResourceType</type-name-ref> <resource-name>resource1</resource-name> <actions>customize,view</actions> </member-resource> </member-resources> </permission-set> </permission-sets>
Note the following points about permission sets:
The actions specified in a <member-resource> must match one or more of the actions specified for the resource type referenced in <resource-name-ref>.
A <member-resources> can have multiple <member-resource> elements in it.
Permission sets must have at least one resource.
Permission sets can exist without being used in principals.
In addition, in a permission, the name, description, and display name are case-sensitive.
This element specifies a collection of permission sets.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
For an example, see <permission-set>.
This element configures application policies. Under <applications>
there is an <application>
for each application. The policies are specified in a <jazn-policy>
of each <application>
.
The <jazn-principal-classes>
and <jazn-permission-classes>
elements and their subelements may appear in the system-jazn-data.xml
schema definition as subelements of <policy-store>
, but are for backward compatibility only.
Optional, zero or one
<jazn-data> {1} <policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} ...
<jazn-data ... > ... <policy-store> <!-- application policy --> <applications> <application> <name>policyOnly</name> <jazn-policy> ... </jazn-policy> </application> <application> <name>roleOnly</name> <app-roles> <app-role> <name>Fellowship</name> <display-name>Fellowship of the Ring</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> <app-role> <name>King</name> <display-name>Return of the King</display-name> <class> oracle.security.jps.service.policystore.ApplicationRole </class> </app-role> </app-roles> </application> <application> <app-roles> <app-role> <name>Farm=farm1,name=FullAdministrator</name> <display-name>farm1.FullAdministrator</display-name> <guid>61FD29C0D47E11DABF9BA765378CF9F2</guid> <class> oracle.security.jps.service.policystore.ApplicationRole </class> <members> <member> <class> oracle.security.jps.internal.core.principals.JpsXmlEnterpriseRoleImpl </class> <name>admin</name> </member> </members> </app-role> </app-roles> <jazn-policy> ... </jazn-policy> </application> ... </applications> </policy-store .... </jazn-data
See <jazn-policy>
for examples of that element.
This element specifies a principal being granted the permissions specified in a <permissions> element as part of a policy configuration. Required under <principals>.
Subelements specify the name of the principal and the class that implements it, and optionally specify a unique name and unique global identifier (the latter two for internal use only).
Optional, zero or more
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies a set of principals.
For policy configuration, a <principals>
element and/or a <codesource>
element are used under a <grantee>
element to specify who or what the permissions in question are being granted to. A <principals>
element specifies a set of principals being granted the permissions.
For a subject to get these permissions, the subject should include all the principals.
Optional, zero or one
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
See <jazn-policy>
for examples.
This element specifies the name of a resource type provider. The resource resides in a location external to the domain security tore. Values are case-insensitive.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
For an example, see <resource-type>.
This element specifies a security realm and the users and roles in it.
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} ...
See <jazn-realm>
for an example.
This element specifies an application resource and contains information about the resource.
One of more required under <resources>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
The following example illustrates the configuration of a resource (instance):
<resources> <resource> <name>resource1</name> <display-name>Resource1DisplayName</display-name> <description>Resource1 Description</description> <type-name-ref>TaskFlowResourceType</type-name-ref> </resource> </resources>
Note that the name, description, and display names are case-sensitive.
This element specifies a collection of application resources.
Optional, zero or more
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
For an example, see <resource>.
This element specifies a member resource in a permission set. Values are case-sensitive.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <permission-sets> {0 or 1} <permission-set> {1 or more} <name> {1} <member-resources> {1 or more} <member-resource> {1 or more} <resource-name> {1} <type-name-ref> {1} <actions> {0 or 1}
For an example, see <permission-set>.
This element specifies the type of a secured artifact, such as a flow, a job, or a web service. Values are case-insensitive.
<name>
, <display-name>
, <description>
, <actions>
, <actions-delimiter>
, <matcher-class>
, <provider-name>
.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
The following example illustrates the configuration of a resource type:
<resource-types> <resource-type> <name>TaskFlowResourceType</name> <display-name>TaskFlowResourceType_disp</display-name> <description>Resource Type for Task Flow</description> <provider-name>resTypeProv</provider-name> <matcher-class> oracle.adf.controller.security.TaskFlowPermission</matcher-class> <actions-delimiter>,</actions-delimiter> <actions>customize,view</actions> </resource-type> </resource-types>
The following points apply to the specification of a resource type:
The name is required and case-insensitive.
The provider name is optional and case-insensitive. A provider is used when there are resources managed in a store other than the security store.
When specified, the class in a <provider-name> element is used as a resource finder. Queries for resources of this type (with the ResourceManager
method) delegate to this class instead of using the built-in resource finder.
The class specification is required and case-sensitive.
The description and display specifications are optional and case-insensitive.
The action specification is optional and case-sensitive. The list of actions in a resource type can be empty. An empty action list indicates that the actions on instances of the resource type are determined externally.
This element specifies a set of resource types.
Optional, zero or more
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} ... <role-categories> {0 or 1} ... <resource-types> {0 or 1} <resource-type> {1 or more} <name> {1} <display-name> {1} <description> {0 or 1} <provider-name> {1} <matcher-class> {1} <actions-delimiter> {1} <actions> {0 or more}
For an example, see <resource-type>.
This element specifies an enterprise security role, as opposed to an application-level role, and the members (and optionally owners) of that role.
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for examples.
This element specifies the parent element of <role-category> elements.
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1 <role-category> {1 or more} <name> {1} <description> {0 or 1} <display-name> {0 or 1}
See Section 17.3.3.1, "Using checkPermission" for an example.
This element specifies a flat set of application roles.
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1} <role-category> {1 or more} <name> {1} <description>{0 or 1} <display-name>{0 or 1} <members> {0 or 1}
See Section 17.3.3.1, "Using checkPermission" for an example.
This element specifies an application role within a role category.
Optional, zero or one
<application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <role-categories> {0 or 1} <role-category> {1 or more} <name> {1} <description> {0 or 1} <members> {0 or 1} <role-name-ref> {1}
This element specifies a set of enterprise roles that belong to the security realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for an example.
This element specifies the type of an enterprise group member or role owner: specifically, whether the member or owner is a user or another role:
<type>user</type>
Or:
<type>role</type>
Required, one only
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} ... <roles> {0 or 1} <role> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <members> {0 or 1} <member> {0 or more} <type> {1} <name> {1} <owners> {0 or 1} <owner> {0 or more} <type> {1} <name> {1}
See <jazn-realm>
for examples.
This element specifies the resource type of a resource.
One only. Required within <resource> or <member-resource>.
<resources> (0 or more) <resource> (1 or more) <name> (1) <display-name> (1) <description> {0 or 1} <type-name-ref> (1)
For an example, see <resource>.
This element, for internal use, takes a string value to specify a unique name to reference the item. (The JpsPrincipal
class can use a GUID and unique name, both computed by the underlying policy provisioning APIs, to uniquely identify a principal.) Depending on the parent element, the item could be an application role, application role member (not an enterprise group member), or principal. It uniquely identifies the item. A unique name is sometimes generated and used internally by Oracle Platform Security.
The unique name for an application role would be: "appid=application_name, name=actual_rolename
". For example:
<principal> <class> oracle.security.jps.service.policystore.adminroles.AdminRolePrincipal </class> <uniquename> APPID=App1,name="FARM=D.1.2.3,APPLICATION=PolicyServlet,TYPE=OPERATOR" </uniquename> </principal>
Optional, zero or one
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} ... <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
This element specifies the URL of the code granted permissions.
Note the following points:
URL values cannot be restricted to a single class.
URL values with ".jar" suffix match the JAR files in the specified directory.
URL values with "/" suffix match all class files (not JAR files) in the specified directory.
URL values with "/*" suffix match all files (both class and JAR files) in the specified directory.
URL values with "/-" suffix match all files (both class and JAR files) in the specified directory and, recursively, all files in subdirectories.
The system variables oracle.deployed.app.dir
and oracle.deployed.app.ext
can be used to specify a URL independent of the platform.
Required within parent element, one only
<jazn-policy> {0 or 1} <grant> {0 or more} <description> {0 or 1} <grantee> {0 or 1} <principals> {0 or 1} <principal> {0 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1} <codesource> {0 or 1} <url> {1} <permissions> {0 or 1} <permission> {1 or more} <class> {1} <name> {0 or 1} <actions> {0 or 1}
The following example illustrates the use of the system variables oracle.deployed.app.dir
and oracle.deployed.app.ext
to specify URLs independent of the server platform.
Suppose an application grant requires a codesource URL that differs with the server platform:
<grant> <grantee> <codesource> <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/myApp/-</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
Then, using the following system variable settings:
-Doracle.deployed.app.dir=${DOMAIN_HOME}/servers/${SERVER_NAME}/tmp/_WL_user -Doracle.deployed.app.ext=/-
the following specification is possible:
<grant> <grantee> <codesource> <url>file:${oracle.deployed.app.dir}/<MyApp>${oracle.deployed.app.ext}</url> </codesource> </grantee> <permissions> ... </permissions> </grant>
This element specifies a user within a realm.
Name | Description |
---|---|
deactivated |
Specifies whether the user is valid or not.
Set to Values: Default: |
Optional, zero or more
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm>
for examples.
This element specifies the set of users belonging to a realm.
Optional, zero or one
<jazn-realm> {0 or 1} <realm> {0 or more} <name> {1} <users> {0 or 1} <user> {0 or more} <name> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <credentials> {0 or 1} <roles> {0 or 1} ...
See <jazn-realm>
for an example.
This element specifies a value for an attribute. Specify additional attributes for application-level roles with the <extended-attributes>
element.
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>
This element specifies a set of values, each of which specify the value of an attribute. An attribute can have more than one value.
Required within the parent element, one only
<policy-store> {0 or 1} <applications> {0 or 1} <application> {1 or more} <name> {1} <description> {0 or 1} <app-roles> {0 or 1} <app-role> {1 or more} <name> {1} <class> {1} <display-name> {0 or 1} <description> {0 or 1} <guid> {0 or 1} <uniquename> {0 or 1} <extended-attributes> {0 or 1} <attribute> {1 or more} <name> {1} <values> {1} <value> {1 or more} <members> {0 or 1} <member> {1 or more} <name> {1} <class> {1} <uniquename> {0 or 1} <guid> {0 or 1}
<app-roles> <app-role> <name>Knight</name> <display-name>Fellowship of the Ring</display-name> <class>oracle.security.jps.service.policystore.ApplicationRole</class> <extended-attributes> <attribute> <name>SCOPE</name> <values> <value>Part-I</value> </values> </attribute> </extended-attributes> </app-role>