21-14 Oracle Fusion Middleware Application Security Guide classweblogic.security.principal.WLSGroupImplclass nameapplicationDeveloperRolename display-nameapplication role applicationDeveloperRoledisplay-name members member classweblogic.security.principal.WLSGroupImplclass namedevelopersname member members app-role -- app role applicationDeveloperRole in system-jazn-data.xml after migration: notice how the role developers has been excluded -- app-role nameapplicationDeveloperRolename display-nameapplication role applicationDeveloperRoledisplay-name guidCB3633A0D0E811DDBF08952E56E4544Aguid classweblogic.security.principal.WLSGroupImplclass app-role -- Example 2: app role viewerApplicationRole in jazn-data.xml makes reference to the anonymous role -- app-role nameviewerApplicationRolename display-nameviewerApplicationRoledisplay-name classweblogic.security.principal.WLSGroupImplclass members member class oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl class nameanonymous-rolename member members app-role -- app role viewerApplicationRole in system-jazn-data.xml after migration: notice that references to the anonymous role are never excluded -- app-role nameviewerApplicationRolename display-nameviewerApplicationRoledisplay-name guidCB3D86A0D0E811DDBF08952E56E4544Aguid classweblogic.security.principal.WLSGroupImplclass members member class oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl class nameanonymous-rolename member members app-role jps.policystore.removal This parameter specifies whether the removal of policies at undeployment should not take place. On WebLogic, it is configured as illustrated in the following fragment: wls:application-param Manually Configuring Java EE Applications to Use OPSS 21-15 wls:param-namejps.policystore.removalwls:param-name wls:param-valueOFFwls:param-value wls:application-param For details about the configuration of this parameter on WebSphere, see Oracle Fusion Middleware Third-Party Application Server Guide. When set, the parameter’s value must be OFF. By default, it is not set. Set to OFF to prevent the removal of policies; if not set, policies are removed. The above setting should be considered when multiple applications are sharing the same application stripe. The undeploying application would choose not to remove application policies because other applications may be using the common set of policies. jps.policystore.migration.validate.principal This parameter is supported on WebLogic only, and it specifies whether the check for principals in system and application policies at deployment or redeployment should take place. It is configured as illustrated in the following fragment: wls:application-param wls:param-namejps.policystore.migration.validate.principalwls:param-name wls:param-valueTRUEwls:param-value wls:application-param When set, the parameter’s value must be TRUE or FALSE. When set to TRUE the system checks the validity of enterprise users and groups: if a principal in an application or system policy refers to an enterprise user or group not found in the identity store, a warning is issued. When set to FALSE, the check is skipped. If not set, the parameter value defaults to FALSE. Validation errors are logged in the server log, and they do not terminate the operation.

21.4.2 Policy Parameter Configuration According to Behavior

This section describes the settings required to manage application policies with the following behaviors: ■ To Skip Migrating All Policies ■ To Migrate All Policies with Merging ■ To Migrate All Policies with Overwriting ■ To Remove or Prevent the Removal of Application Policies ■ To Migrate Policies in a Static Deployment Any value settings other than the ones described in the following sections are not recommended and may lead to unexpected migration behavior. For more details, see Recommendations . Note: Deciding to set this parameter to OFF for a given application requires knowing, at the time the application is deployed, whether the application stripe is shared by other applications.