Approvers Actions Approval Process
5. Advanced Topics
5.1. Data Access Control: Principles
This chapter describes the entity access control mechanism, which defines permissions for users and groups to access structures in Oracle Service Registry There are two types of user groups: public and private. Both public and private groups are visible to all users in the registry, meaning that all users are able to see which groups exist. Public and private groups differ in that members of public groups are visible to all users of the registry whereas members of private groups are visible only to the owner of the group. Note There are other permissions in Oracle Service Registry used to control access to APIs and their operations. API permissions are relations between the user or group and operation only. Please see Section 6, Permissions: Principles in the Administration Guide for details. Permission in this chapter is limited to Data Access Permission - ACL permission. We use the following terms with regard to ACL permissions: • Party A user or group of users • Core Structure One of the major UDDI data structures: businessEntity, businessService, bindingTemplate or tModel • Action An operation: find, get, save, or delete on the entity plus special action create, which means to save sub-entities. For example, a user with the create permission on a businessService can save new bindingTemplates Page 2055.1. Data Access Control: Principles
under the businessService, but can not update whole businessService. Note that the create permission makes sense only on businessEntity and businessService, because bindingTemplates and tModels have no sub-entities. Standard UDDI access control defines that only the owner of a UDDI core structure can update or delete it. Every user can find or get the structure with the exception that deletedhidden tModels are visible for get_tModelDetail but not for the find_tModel operation. ACLs Access Control Lists added to a UDDI entity can override standard UDDI access control as there are several cases in which standard access control is not sufficient. Examples: • When a Web service is under construction, its UDDI representation businessService and bindingTemplate should be visible only to members of the development team. Arbitrary users should not be able to obtain it in the result set of get_serviceDetail or find_service operations. Moreover, a get_businessDetail or find_business operation result, which includes a superior businessEntity, should not give away the existence of the businessService. • On the other hand when the server where the service prototype is running goes down, the administrator should be able to deploy the Web service on another server and repair the service endpoint in the accessPoint within its bindingTemplate, despite not being the owner of the bindingTemplate.5.1.1. Explicit Permissions
Explicit permission gives positive permission, or revokes negative permission, access rights to a party to process an action on a specified entity. Explicit permissions are saved with the entity as special keyedReferences in the categoryBag. For more information, please see Setting ACLs on UDDI v3 Structures and Setting ACLs on UDDI v1 and v2 Structures below.5.1.2. Permission Rules
When no explicit permission is set for the findget action on an entity, everyone can findget it. When no explicit permission is set for the savedelete action on an entity, only owner of the entity can savedelete it. This is a standard UDDI access control. When an explicit Permission is set for an action, a completely different access control is used which is defined by the following rules: 1. Owner always has full control The owner can always process an operation over an owned entity, even if the permission is explicitly revoked. 2. Negative permission for a user overrides positive permission for a user. Example: User U has explicit positive permission on businessEntity BE for the get action. However, if U also has explicit negative permission on BE for action get, then an attempt to process get_businessDetail by user U on the BE will fail. 3. Negative permission for group overrides positive permission for group. Example: User U has belongs to groups G1 and G2. Group G1, has explicit positive permission on the BE for action get. Group G2, has explicit negative permission on the BE for action get. Because of this negative permission, any attempt to process get_businessDetail by user U on the BE will fail. 4. Permission for user has more weight than permission for group Example: User U has explicit positive permission on businessEntity BE for action get. Group G, to which U belongs, has explicit negative permission on the BE for action get. User U can process get_businessDetail on the BE, even though U belongs to group G. 5. The owner of an entity can always process get_XXX on a direct sub-entity Example: User U1 owns businessEntity BE. U1 as owner grants create permission to user U2. Then U2 saves new businessService BS with bindingTemplate BT under BE. When user U1 executes get_businessDetail, U1 obtains BE with BS but without BT, because BT is not a direct sub-element of the BE. Page 2065.1.2. Permission Rules
Parts
» OSR11gR1ProductDocumentation
» Oracle Service Registry Features Overview
» UDDI Version 3 Specification Known Issues
» UDDI Version 2 Specification Database
» Supported Platforms OSR11gR1ProductDocumentation
» Specifications OSR11gR1ProductDocumentation
» Document Conventions OSR11gR1ProductDocumentation
» The Apache XML Security License, Version 1.1
» The Apache XML License, Version 1.1
» Apache Jakarta License, Version 1.1
» CUP Parser Generator Third Party Licenses
» Jetty License, Version 3.6 Third Party Licenses
» W3C Software Notice and License
» Xalan, Version 2.5.1 Third Party Licenses
» XML Pull Parser for Java, 1.1.1
» Support OSR11gR1ProductDocumentation
» Java™ Platform System Requirements
» Relational Database System Requirements
» Installation Type SMTP Configuration
» Setup Administrator Account Database Settings
» Application Server Settings Installation Panels
» Confirmation and Installation Process
» Clustering Oracle Service Registry with Oracle WebLogic Server
» Directory Structure Installation Summary
» Registry Endpoints Installation Summary
» Setup Signer Command-line Scripts
» Registry Installation Options Command-line Options Reconfiguring After Installation
» Using the syslog Daemon with Oracle Service Registry
» Running Oracle Service Registry as a UNIX Daemon
» Database Creation Method Database Installation
» Oracle Data Source Creation JDBC Driver
» Account Backend Database Installation
» Oracle MSSQL DB2 Multilingual Data
» Alternative JDBC Drivers JDBC Drivers
» Discovery Registry Installation Publication Registry Installation
» Intermediate Registry Installation Approval Process Registry Installation
» LDAP with a Single Search Base
» LDAP with Multiple Search Bases
» LDAP Configuration Examples Oracle Internet Directory with Single Search Base
» Custom Non-LDAP External Accounts Integration
» Cluster operation Cluster Configuration
» Cluster installation Cluster Configuration
» Sharing Token Key Setting Up Security
» WebLogic specific configuration for use with cluster
» HTTP Basic Authentication Configuration
» Netegrity SiteMinder Authentication Configuration
» SSL Client authentication with Embedded HTTPHTTPS Server
» SSL Client Authentication in Oracle WebLogic
» Internal SSL Client Authentication Mapping in J2EE
» Disabling Normal Authentication Authentication Configuration
» Consoles Configuration Authentication Configuration
» Outgoing Connections Protected with SSL Client Authentication
» Uninstallation OSR11gR1ProductDocumentation
» UDDIs Role in the Web Services World - UDDI Benefits
» Typical Application of a UDDI Registry
» UDDI Data Model Basic Concepts of the UDDI Specification
» Taxonomic Classifications Basic Concepts of the UDDI Specification
» Security Considerations Notification and Subscription
» Replication Basic Concepts of the UDDI Specification
» UDDI APIs Basic Concepts of the UDDI Specification
» Technical Notes Basic Concepts of the UDDI Specification
» Subscription Arguments Subscriptions in Oracle Service Registry
» Suppressing Empty Notifications Subscriptions in Oracle Service Registry
» Requestors Actions Approval Process in Oracle Service Registry
» Approvers Actions Approval Process in Oracle Service Registry
» Synchronization of Data Approval Process in Oracle Service Registry
» Mail notification in approval process
» Related Links Approval Process in Oracle Service Registry
» Registry Consoles OSR11gR1ProductDocumentation
» Demo Data for Business Service Control
» Demo data for Registry Control and demos
» Overview Business Service Control
» User Profile Fields The My Profile tab has the following fields:
» Searching Providers Searching Endpoints
» Reports Business Service Control
» Subscription On Selected Entities Subscription from Search Query
» Requestors Actions Approval Process
» Approvers Actions Approval Process
» Explicit Permissions Data Access Control: Principles
» Permission Rules Data Access Control: Principles
» Composite Operations Data Access Control: Principles
» Pre-installed Groups Data Access Control: Principles
» ACL tModels Data Access Control: Principles
» Setting ACLs on UDDI v3 Structures
» Setting ACLs on UDDI v1v2 Structures
» Generating Keys Publisher-Assigned Keys
» Affiliations of Registries Publisher-Assigned Keys
» Taxonomy Types Taxonomy: Principles, Creation and Validation
» Validation of Values Taxonomy: Principles, Creation and Validation
» Types of keyValues Taxonomy: Principles, Creation and Validation
» Taxonomy API Taxonomy: Principles, Creation and Validation
» Predeployed Taxonomies Taxonomy: Principles, Creation and Validation
» RegisterCreate Account Register Registry Console Reference
» Main Menu Tabs Browse Menu Bar
» Tree Display Area Main Display Area
» Display Tabs Action Icons Action Icons Context Menu
» Browsing Registry Console Reference
» Publishing Registry Console Reference
» Starting the Signer Main Screen
» Signer Configuration Signer Tool
» Integrating with Oracle JDeveloper
» How To Configure the Inquiry URL, UDDI Service Key, and Endpoint Address for Runtime
» Integrating with Oracle Enterprise Repository
» Integrating wih Oracle Service Bus
» Enabling Dynamic Lookup of BPEL Partner Link Endpoints
» Enabling Dynamic Lookup of ESB SOAP Endpoints Integrating with Oracle Web Services Manager WSM
» Create Account Account Management
» Accessing Permission Management Permissions
» Editing and Deleting Permissions
» Adding Taxonomies Taxonomy Management
» Understanding Replication Replication Management
» Master Registry Setup Replication Management
» Slave Registry Setup Replication Management
» Create Requestor Approval Process Management
» Replacing tModel keys Replacing UDDI Keys
» Replace URLs Registry Statistics
» Current configurations and their history View configuration
» Named collections of configuration List of named collections
» Core Config Database Registry Configuration
» Security Account Registry Configuration
» Group Subscription Registry Configuration
» Paging Limits Figure 46. Business Service Control Configuration - Paging Limits UI Configuration
» Customizable Taxonomies Business Service Control Configuration
» Customizing Individual Pages Business Service Control Configuration
» Web Interface Configuration Figure 54. Registry Console Configuration - Web Interface Tab
» Paging Configuration Figure 55. Registry Console Configuration - Paging Tab
» Permissions Definitions Permissions: Principles
» Oracle Service Registry Permission Rules
» Setting Permissions Permissions: Principles
» Permissions and User Roles ApiManagerPermission Reference
» Requestor Approval Process Roles
» Approver Approval Process Roles
» autoApprover Approval Process Roles
» Administrator Approval Process Roles
» Optional Content Checking Setup
» Commands Description PStore Tool
» Open Next Protected Store Copy Data Between Protected Stores
» User Store PStore Tool - GUI Version
» Associating an SSL client identity with a registry client
» WSDL PortTypes WSDL Bindings
» UDDI Version 2 UDDI Version 3 UDDI Version 3 Extension
» Administration Utilities Advanced APIs
» Replication Statistics Advanced APIs
» WSDL Publishing Advanced APIs
» XML Publishing Advanced APIs
» XSD Publishing Advanced APIs
» XSLT Publishing Advanced APIs
» Client Package Registry Client
» JARs on the Client Classpath
» Example Client Client Authentication
» Accessing Backend APIs Server-Side Development
» Accessing Registry APIs Custom Registry Modules
» Custom Module Sample Custom Registry Modules
» Creating and Deploying Interceptors
» Logging Interceptor Sample Interceptors
» Request Counter Interceptor Sample
» Deploying Validation Service Writing a Custom Validation Service
» External Validation Service Writing a Custom Validation Service
» Sample Files Writing a Subscription Notification Service
» Architecture Description Registry Web Framework
» Directory Structure Registry Web Framework
» Framework Configuration Registry Web Framework
» Where can I find the code which generates the page header?
» How do I change the text displayed on a pages title bar?
» Where is the right place to include my own JavaScript files?
» Where is it possible to change the text displayed in the page footer?
» Business Service Control Localization
» Directory Structure Business Service Control Framework
» Business Service Control Configuration
» Entity Configuration Business Service Control Framework
» Permission support Business Service Control Framework
» Components and Tags Business Service Control Framework
» Connecting to Oracle Service Registry from JDeveloper
» Running SOAPSpy SOAPSpy Tool
» Prerequisites and Preparatory Steps: Code
» Presentation and Functional Presentation
Show more