7-16 Oracle Fusion Middleware Security and Administrators Guide for Web Services Figure 7–8 Assertion Belonging to Two Categories ■ A security policy can contain any number of security_log_template assertions. For example, if you view any of the predefined security policies, you will see two logging assertions included. Oracle recommends that you create one policy for authentication and message protection, and a second policy for authorization. If you create a policy that contains both an authentication and an authorization assertion, then the authentication assertion must precede the authorization assertion. When you validate your policies, the validation process checks to see that your policies meet these requirements. If the validation fails during policy creation, the policy is created but is marked as disabled. Validating a Policy Policies can be validated from the Create Policy and Edit Policy pages. To validate a policy: 1. From the Create Policy or Edit Policy page, make any changes to your policy.

2. Click Validate.

If successful, the Validation successful message appears. If not successful, the resulting error message describes the problem. Editing Web Service Policies You can make changes to the policies you create or to the predefined policies that come with the product. However, Oracle recommends that you do not change the predefined policies so that you will always have a known set of valid policies to work with. The changes take effect at the next polling interval for policy changes. If you are using a database-based metadata repository, each time you save a change to your policy, a new version is created, and the older versions are retained. To edit Web service policies: 1. Navigate to the Web Services Policy page, as described in Navigating to the Web Services Policies Page in Fusion Middleware Control on page 7-2.

2. From the Web Services Policies page, select a policy from the Policies table and

click Edit. 3. On the Edit Policy page, make the changes to the policy.

4. Click Save.