2-2 Oracle Fusion Middleware Application Security Guide A Java EE logical role is a role specified declaratively or programmatically by a Java EE application. It is defined in an application deployment descriptor and, typically, used in the application code. It can be mapped to only enterprise groups or users, and it cannot be mapped directly to application roles. An application role is a collection of users, groups, and other application roles; it can be hierarchical. Application roles are defined by application policies and not necessarily known to a Java EE container. Application roles can be many-to-many mapped to external roles. For example, the external group employee stored in the identity store can be mapped to the application role helpdesk service request in one stripe and to the application role self service HR in another stripe. For details about the anonymous role, see Section 2.4, The Anonymous User and Role. For details about the authenticated role, see Section 2.3, The Authenticated Role. Principal A principal is the identity to which the authorization in the policy is granted. A principal can be a user, an external role, or an application role. Most frequently, it is an application role. Application Policy An application policy is a functional policy that specifies a set of permissions that an entity the grantee, a principal or code source is allowed within an application, such as viewing web pages or modifying reports. That is, it specifies who can do what in an application. An application policy uses: ■ Principals as grantees, and must have at least one principal. ■ Either one or more permissions, or an entitlement, but not both. Policies that use an entitlement are called entitlement-based policies; policies that use one or more permissions are called resource-based policies. Figure 2–1 illustrates the application policy model. Understanding Users and Roles 2-3 Figure 2–1 Application Policy Logical Model OPSS Subject An OPSS subject is a collection of principals and, possibly, user credentials such as passwords or cryptographic keys. The server authentication populates the subject with users and groups, and then augments the subject with application roles. The OPSS Subject is key in identity propagation using other Oracle Identity Management products such as OAM, for example. For details about how anonymous data is handled, see Section 2.4.1, Anonymous Support and Subject. Security Stores The identity store is the repository of enterprise users and groups and must be LDAP-based. Out-of-the-box the identity store is the WebLogic LDAP DefaultAuthenticator. Other types of identity stores include Oracle Internet Directory, Sun Directory Server, and Oracle Virtual Directory. The policy store is the repository of application and system policies. This store is administered with Oracle Enterprise Manager Fusion Middleware Control. The credential store is the repository of credentials. This store is administered with Oracle Enterprise Manager Fusion Middleware Control. The OPSS security store is the logical repository of system and application-specific policies, credentials, and keys. The only type of LDAP-based OPSS security store supported is Oracle Internet Directory. For details, see Chapter 3, Understanding Identities, Policies, and Credentials. 2-4 Oracle Fusion Middleware Application Security Guide Other Terms A system component is a manageable process that is not a WebLogic component. Examples include Oracle Internet Directory, WebCache, and Java SE components. A Java component is a peer of a system component, but managed by an application server container. Generally it refers to a collection of applications and resources in one-to-one relationship with a domain extension template. Examples include Oracle SOA applications, Oracle WebCenter Spaces.

2.2 Role Mapping

OPSS supports many-to-many mapping of application roles in the policy store to enterprise groups in the identity store, which allows users in enterprise groups to access application resources as specified by application roles. Since this mapping is many-to-many, it is alternatively referred to as the role-to-group mapping or as the group-to-role mapping.

2.2.1 Permission Inheritance and the Role Hierarchy

OPSS roles can be structured hierarchically by the relation “is a member of.” Thus a role can have as members users or other roles. In a role hierarchy, role members inherit permissions from the parent role. Thus, if roleA is a member of roleB, then all permissions granted to roleB are also permissions granted to roleA. Of course, roleA may have its own particular permissions, but, just by being a member of roleB, roleA inherits all the permissions granted to roleB. For details about managing an application role hierarchy with OPSS scripts, see Section 9.3.4, grantAppRole, and Section 9.3.5, revokeAppRole. For details about managing an application role hierarchy with Oracle Entitlements Server, see Oracle Fusion Middleware Administrators Guide for Oracle Entitlements Server. The following example illustrates a role hierarchy consisting of the following nested application users and roles: ■ The role developerAppRole has the following members: Notes: Oracle JDeveloper allows specifying this mapping when the application is being developed in that environment. Alternatively, the mapping can be also specified, after the application has been deployed, using OPSS scripts, Fusion Middleware Control, or Oracle Entitlements Server, as explained in Section 9.2.2, Managing Application Roles. The mapping of an application role to an enterprise group rewrites the privilege of the enterprise group as the union of its privileges and those of the mapped application role. Therefore, it possibly augments the privileges of the enterprise group but never removes any from it. Important: When building a role hierarchy, ensure that you do not introduce circular dependencies to prevent unwanted behavior. For example, setting roleA to be a member of roleB, and roleB to be a member of roleA would create such a circular dependency.