Managing the Policy Store 9-13 property value=jdbcopss name=datasource.jndi.name propertySet serviceInstance provider=policystore.provider name=policystore.db property value=DB_ORACLE name=policystore.type propertySetRef ref=props.db.1 serviceInstance jpsContext name=default serviceInstanceRef ref=credstore.db serviceInstanceRef ref=keystore.db serviceInstanceRef ref=policystore.db serviceInstanceRef ref=audit serviceInstanceRef ref=idstore.ldap serviceInstanceRef ref=trust jpsContext Required Editing The configuration file produced by the reassociation above must be manually modified before it is passed to the offline script listAppStripes. This editing involves a changing the list of properties props.db.1 above to the following: propertySet name=props.db.1 property value=cn=reassociation name=oracle.security.jps.ldap.root.name property value=cn=soa_domain name=oracle.security.jps.farm.name property value=jdbc:oracle:thin:dadvma0170:1521:rdbms name=jdbc.url property value=rc1_opss name=security.principal property value=oracle.jdbc.driver.OracleDriver name=jdbc.driver property value=welcome1 name=security.credential propertySet in which the property datasource.jndi.name has been replaced by four other properties; and b removing the reference to the identity store in the default context that is, the line serviceInstanceRef ref=idstore.ldap The edited file can then be passed to the offline script, which should run without errors.

9.3.2 createAppRole

The script createAppRole creates an application role in the policy store with given application stripe and role name. Script Mode Syntax createAppRole.py -appStripe appName -appRoleName roleName Interactive Mode Syntax createAppRoleappStripe=appName, appRoleName=roleName The meanings of the arguments all required are as follows: ■ appStripe specifies an application stripe. ■ appRoleName specifies a role name. 9-14 Oracle Fusion Middleware Application Security Guide Example of Use The following invocation creates an application role with application stripe myApp and role name myRole: createAppRole.py -appStripe myApp -appRoleName myRole

9.3.3 deleteAppRole

The script deleteAppRole removes an application role from the passed stripe. Specifically, this script applies a cascading deletion by removing: ■ All grants where the role is present ■ The role from any other role of which it is a member ■ All roles that are member of the role Script Mode Syntax deleteAppRole.py -appStripe appName -appRoleName roleName Interactive Mode Syntax deleteAppRoleappStripe=appName, appRoleName=roleName The meanings of the arguments all required are as follows: ■ appStripe specifies an application stripe. ■ appRoleName specifies a role name. Example of Use The following invocation removes the role with application stripe myApp and name myRole: deleteAppRole.py -appStripe myApp -appRoleName myRole

9.3.4 grantAppRole

The script grantAppRole adds a principal class and name to a role with a given application stripe and name, and it can be used to build or modify an application role hierarchy. Script Mode Syntax grantAppRole.py -appStripe appName -appRoleName roleName -principalClass className -principalName prName Interactive Mode Syntax grantAppRoleappStripe=appName, appRoleName=roleName, principalClass=className, principalName=prName The meanings of the arguments all required are as follows: ■ appStripe specifies an application stripe. ■ appRoleName specifies a role name. ■ principalClass specifies the fully qualified name of a class; this class must be included in the class path so that it is available at runtime. Typically, if the