| Oracle® Fusion Middleware Administrator's Guide for Authorization Policy Manager 11g Release 1 (11.1.1) Part Number E14431-01 | 
 | 
| 
 | View PDF | 
This chapter describes the procedures an administrator follows to manage application-specific security artifacts, view the external role hierarchy, manage the application role hierarchy, and manage the many-to-many mapping of application roles to external roles from both the application and the external role point of view.
This chapter is divided into the following sections:
Authorization Policy Manager allows performing CRUD (create, read, update, delete) operations on several application security artifacts.
The menu New, to create an artifact, is available in the Browser and Search Results tabs of the navigation panel, and advanced search results tables.
The menu Open, to view and modify an artifact, is available in the Search Results tab of the navigation panel and advanced search results tables.
The menu Delete, to remove an artifact, is available in advanced search results tables.
The following sections describe how to manage specific security artifacts:
Note:
In regards to enterprise users and external roles, Authorization Policy Manager provides viewing and searching functionality only. To manage users and external roles, use Oracle Identity Manager or some other identity management tool.The following sections describe how to manage application roles:
To create an application role, proceed as follows:
In the navigation panel, right-click the application Role Catalog icon and select New, to open an Untitled page on the right panel.
In the General tab of the page, enter the following data for the role being created:
A role name (required)
A display name (required)
A description (optional). Although optional, it is recommended because it can provide useful information about the role.
A role category, to which the role being created belongs (optional)
Click Save. Note the following changes in the page: (a) the title Untitled changes to the string entered for display name; (b) two other tabs, Application Role Hierarchy and External Role Mapping, become available.
To position the role being created in the application role hierarchy:
Bring the Application Role Hierarchy tab to the foreground.
To view or specify the application roles this role inherits, select Inherits and click Add to display the Add a Role dialog.
In the Add a Role dialog, query application roles with a given display name (empty string fetches all roles), select one or more roles from the results (Ctrl-click allows selecting one role at the time), and then click Add, to display the selected roles in the Inherits table.
To delete a role from the Inherits table, select the role and click Remove; only roles directly under the top can be removed. To view a role, select the role and click Open; to find the policies that use a role, select the role and click Find Policies. To create a policy based on the application role, click Create Policy at the top of the page.
To specify application roles for a role in the Inherits table, select the role, and click Add to display the Add a Role dialog. In that dialog, click the radio button for the selected role, and proceed to search and select roles to add. Then click Add, to display the added roles under the selected role.
To view the application roles that this role is inherited by, select Is Inherited By.
To view a role in the Is Inherited table, select the role and click Open; to view the policies that use a role, select the role and click View Policies.
In both pages, Inherits and Is Inherited By, the bottom area displays the summary information of a role selected from the table.
To map external roles to the application role being created:
Bring the External Role Mapping tab to the foreground.
Click Add to display the Add a Role dialog, or select an item an click Remove to delete it.
In the Add a Role dialog, query external roles with a given display name (empty string fetches all roles), select one or more roles from the results (Ctrl-click allows selecting one role at the time), and then click Add, to display the selected roles in the External Roles tab.
Figure 5-1 illustrates part of the ApplicationRole Hierarchy tab.
Deleting a role deletes the role and all roles nested in it; Authorization Policy Manager prompts a confirmation before executing this cascading deletion. Moreover, all references to a removed role are removed from application policies in the application stripe.
To delete an application role, use the procedure in Section 4.2, "Searching Application Roles" to identify the role in the Search Results table of an advanced search, select the role, and then click Delete.
To modify or view an application role, proceed as follows:
Select the application role in the Search Results of the navigation panel, and double-click it or click Open to display the page for the application role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Modify, as appropriate, the current specifications in the General, Application Role Hierarchy, and External Role Mapping tabs. If any data in the General tab is changed, click Apply.
The following sections describe how to manage application resource types:
To create an application resource type, proceed as follows:
In the navigation panel, right-click the application Resource Types icon and select New, to open an Untitled page on the right panel.
In that page, enter the following data for the resource type being created:
A name (required).
A display name (required).
A description (optional). Although optional, it is recommended because it can provide useful information about the resource type.
A fully qualified name of the permission class for the resource type, in the box labeled Matcher (required).
The actions allowed by the type - to insert an action in the current list, click New to display the New Action dialog; enter the name of the action and then click Save; the Action list is then updated with the new action.
Click Save. The tab changes its title to the name of the resource type just created.
Figure 5-2 illustrates part of the page for the resource type TaskFlowResourceType.
To modify an application resource instance type, proceed as follows:
Identify the application resource type to modify or view. For details, see Section 4.3, "Searching Application Resource Types."
Select the resource, and click Open to open the page for the resource. (The Delete and New menus, also available, allows deleting a selected resource or creating a new one).
In that page, modify the resource type as appropriate.
Click Apply to save changes.
The following sections describe how to manage application resources:
To create an application resource instance, proceed as follows:
In the navigation panel, right-click the application Resources icon and select New, to open an Untitled page on the right panel.
In that page, enter the following data for the resource instance being created:
A name (required)
A display name (required)
A description (optional). Although optional, it is recommended because it can provide useful information about the resource instance.
A resource type - Select a resource type for the instance from the pull-down Resource Types (required)
Click Save. The tab changes its title to the name of the resource instance just created.
To modify an application resource instance, proceed as follows:
Identify the application resource to modify or view. For details, see Section 4.4, "Searching Application Resources."
Select the resource, and click Open to open the page for the resource. (The Delete menu, also available, allows deleting a selected resource).
In that page, modify the resource as appropriate.
Click Apply to save changes.
Alternatively, use a simple search to identify the resource, select it, and then click Open to edit its attributes.
The following sections describe how to manage application entitlements:
To create an application entitlement, proceed as follows:
In the navigation panel, right-click the application Entitlements icon and select New, to open an Untitled page on the right panel.
In that page, enter the following data for the entitlement being created:
A name (required)
A display name (required)
A description (optional). Although optional, it is recommended because it can provide useful information about the entitlement.
Add resources to the entitlement being created. There are two ways of accomplishing this task; the first way is as follows:
List the resources available to the application by performing a regular search on resource instances.
Drag an drop resource instances from the Search Results tab (on the navigation panel) into the area labeled Resources.
The second, alternative way is as follows:
Click Add at the top of the area Resources, to display the Add Resource dialog.
In that dialog, search for the available resources whose names or display names match a string, and a selected Resource Type. The resources matching the query are displayed in the table at the bottom of the dialog.
From the results, select the resources to add (the combination ctrl-left click allows you to select multiple items from the list), and then click Add. Only resources not already in the Resources list are allowed to be added.
Select actions for resources - First select a resource that you have added (from the Resources list) to display the resource details in the Resource Details area at the bottom of the page. Then check the desired actions for that resource in the area Actions. Only the actions allowed for the type of the selected resource are available in this area. Repeat this step for each of the resources you have added to the entitlement being created.
Click Save. The page changes its title to the name of the entitlement just created.
Figure 5-3 illustrates part of the page after the entitlement myEntitlement has been created and in which the area Resources has been collapsed.
To modify or view an entitlement, proceed as follows:
Select the entitlement in the Search Results of the navigation panel, and double-click it or click Open to display the page for the entitlement. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Modify, as appropriate, the current specifications in the page.
Click Apply to save changes.
The following sections describe how to manage application functional policies:
The following procedure describes a way to create an application policy based in an application role; alternative ways to create policies based on a principal, an entitlement, or a resource by using the New Policy menu are described in Section 4.6.1, "Finding Application Policies that Match Entitlements or Resources," and Section 4.6.2, "Finding Application Policies that Match Principals."
To create an application policy based on a specific application role, proceed as follows:
Select Policies under the application for which you want to create the policy, and double-click it or click Open to display the Search - Policies page.
In that page, bring the tab Principal to the foreground and specify parameters for a Search, to locate and select the principals (application role, external role, or user) on which to base the policy being created.
In the tab Function Security, at the bottom area of the page, select either Entitlement Policies or Resource Based Policies (according to the kind of policy to create), and then click New Policy to display an Untitled policy page.
If creating an entitlement-based policy, then in the Untitled page:
Add principals to the policy - Either use the button Add at the top of the Principal table, or, alternatively, perform a simple search on application roles, external roles, or users, and drag-and-drop items from the search results into the Principal table. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Add an entitlement to the policy - Either use the button Add at the top of the Entitlement table, or, alternatively, perform a simple search on the application entitlements, and drag-and-drop an entitlement from the search results into the Entitlement table.
Click Save.
If creating a resource-based policy, then in the Untitled page:
Add principals to the policy - Either use the button Add at the top of the Principal table, or, alternatively, perform a simple search on application roles, external roles, or users, and drag-and-drop items from the search results into the Principal table. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Add resource instances to the policy - Either use the button Add in the Resources table, or, alternatively, perform a simple search on the application resource instances, and drag-and-drop a resource instances from the search results into the Resources table.
For each of the resource instance added, select a resource instance and specify the actions allowed by checking the appropriate boxes in the Actions area at the bottom of the page.
Click Save.
Figure 5-4 illustrates part of the page after creating a policy based on an entitlement.
Entitlement-based policies cannot be modified.
To modify or view a resource-based policy, proceed as follows:
Identify the resource-based application policy to modify or view in either of the following ways:
By matching an application role in the policy. For details, see step 7 in procedure in Section 4.6.2, "Finding Application Policies that Match Principals."
By matching a resource name in the policy. For details, see step 7 in procedure in Section 4.6.1, "Finding Application Policies that Match Entitlements or Resources."
Select the policy, and click Open to open the page for the policy.
In that page, modify the policy attributes as appropriate.
Click Apply to save changes.
Authorization Policy Manager does not support modifying role categories, but only creating and deleting them.
To create an application role category, proceed as follows:
In the navigation panel, right-click the application Roles Categories icon and select New, to open an Untitled page on the right panel.
In that page, click New to display the New Category dialog.
In that dialog, enter the following data for the category being created:
A name (required)
A display name (required)
A description (optional). Although optional, it is recommended because it can provide useful information about the category.
Click Create: the new category is displayed in the list under the Role Categories page.
Figure 5-5 partially illustrates the Role Categories page after a category has been created.
To view the external role hierarchy under a given external role, proceed as follows:
Select an external role in the Search Results of the navigation panel, and double-click it or select it and click the View icon to display the page for the external role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
In that page, select the External Role Hierarchy tab.
The table in that tab displays all the external roles from which the selected role inherits permissions. Any external role in the table admits being expanded to further show the deeper levels of the hierarchy.
In addition, the actions at the top of the table allow:
Opening a selected external role for view (Open Role)
Figure 5-6 partially illustrates the External Role Hierarchy tab for the external role OPS FEDERAL.
This section explains how to view and modify an application role hierarchy, specifically, the hierarchy of application roles below and above a given application role.
To view or modify the application role hierarchy below a given application role, proceed as follows:
Select an application role in the Search Results of the navigation panel, and double-click it or click Open to display the page for the application role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Bring the tab Application Role Hierarchy to the foreground and select Inherits.
The table in that region displays the application roles under the role.
The actions at the top of this table allow:
Adding application roles (Add)
Removing a selected role (Remove)
Opening for viewing a selected role (Open)
Viewing the policies that contain a selected role (View Policies)
To view or modify the application role hierarchy above a given application role, proceed as follows:
Select an application role in the Search Results of the navigation panel, and double-click it or click Open to display the page for the application role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Bring the tab Application Role Hierarchy to the foreground and select Is Inherited By.
The table in that region displays the application roles under the role.
The actions at the top of this table allow:
Adding application roles (Add)
Removing a selected role (Remove)
Opening for viewing a selected role (Open)
Viewing the policies that contain a selected role (View Policies)
To map application roles to an external role, proceed as follows:
Select the external role in the Search Results of the navigation panel, and double-click it or click Open to display the page for the external role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
In that page, select the Role Mapping tab.
In that tab, in the table in the area External Role Hierarchy, select Map Roles to display the Map Application Roles to External Roles dialog.
Use that dialog to search and select the application roles you want to map into the external role, and then click Map Roles. The current list of application roles mapped to the external role is shown in the table in the area Application Role Hierarchy for:.
In addition, the actions at the top of the table allow:
Removing roles from the map (Remove Roles)
Opening a selected external role for view (Open Role)
Finding policies that contain a selected role (Find Policies)
To map external roles to an application role, proceed as follows:
Select an application role in the Search Results of the navigation panel, and double-click it or click Open to display the page for the application role. For details, see Section 3.4, "Finding Artifacts with a Simple Search."
Bring the tab External Role Mapping tab to the foreground.
In that tab, click Add to display the Add a Role dialog. Use this dialog to search and select the set of external roles to be mapped to the application role; then click Map Roles.
The table showing the external roles mapped to the application role is then updated to include the selected roles. In addition to adding external roles, the actions at the top of this table allow:
Removing a selected role (Remove)
Opening for viewing a selected role (Open)
Figure 5-7 illustrates the Add a Role dialog with results of an External Role Search and three external roles selected.
Figure 5-8 illustrates the External Role Mapping tab displaying the external roles mapped to an application role.
An alternative way to add external roles to an application role (with the action menu Add External Role) is explained in Section 4.2, "Searching Application Roles."