Sanae BEKKAR – My Blog –

Oracle SOA Suite 11g has a policy-based authorization mechanism in place to determine what permission a user can have when accessing infrastructure resources. Users or groups are mapped to an application role, which is a virtual group defined in a centralized policy store to access protected application server resources. Application roles provide authorization by decoupling your application level permissions with principles defined in identity stores, as any changes to users or groups in the backend store will automatically reflect their permissions when accessing protected resources.

Oracle SOA Suite 11g defines a set of predefined application roles in its default policy store, which is file-based and available in the $DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml file.

A definition of  an application role such as that of the SOADesigner role is shown in the following code snippet:
<app-role>                                                                                                               <name>SOADesigner</name>                                                                                                            <display-name>SOA Designer</display-name>                                                                         <description>SOA Designer</description>  <guid>81F7F169651A11E0AF6A79660AB4F93C</guid>  <class>oracle.security.jps.service.policystore.ApplicationRole  </class>                                                  <members>                                                                                                                                         <member>                                                   <class>weblogic.security.principal.WLSGroupImpl</class>      <name>Administrators</name>                                                                                                 </member>                                                                                                                                         <member>                                                                                                              <class>oracle.security.jps.service.policystore.ApplicationRole</class>      <name>SOAAdmin</name>                                   <guid>81F7F160651A11E0AF6A79660AB4F93C</guid>                                                          </member>                                                                                                                                  <member>                                                                                <class>oracle.security.jps.service.policystore.ApplicationRole</class>      <name>BPMWorkflowAdmin</name>      <guid>81F7F165651A11E0AF6A79660AB4F93C</guid>                                                          </member>                                                                                                                                              </members>                                                                                                                                                     </app-role>

Notice that the SOADesigner role contains preconfigured groups, defined in the server by default, such as Administrators, SOAAdmin, and BPMWorkflowAdmin, and implements the oracle.security.jps.service.policystore.ApplicationRole class. Principles available in an identity or a directory server, such as existing organizational users and groups, can be added to either the logical groups  associated with an application role or explicitly to the application role itself.

Configuring and Administering Oracle SOA Suite 11g described how to configure an external LDAP server and map real users to application roles.