Finding Code Artifacts for Customization (Part 3)
By Jani Rautiainen on May 28, 2013
This series of documents is intended to illustrate the options that we
have to map UIs to code artifacts and to inspect their structure. In
previous articles we covered the process for finding code artifacts for
customizations using the Page Composer and finding ADFbc objects related
to the page using the JDeveloper. In this article we will look at
mapping security permissions to roles and users.
In order to test the customizations we will need to know the user with access to the page and the credential for the user. While the user can be determined from the policy and identity stores the credential cannot and as such credential must be obtained from the system administrator.
These steps assume that the reader is familiar with the concepts of Fusion Application security such as roles and permissions covered in Fusion Security (Part 1: Overview) .
In order to follow this article you will need the ability to query LDAP repository containing the users and enterprise roles. The LDAP can be queried using various tools such as Authorization Policy Manager (APM) or various other browsing tools. In this article we use jxplore, open source option that can be downloaded here. Once installed provide the connection information e.g.:
The connection details are the same that were used when creating the Integrated WLS domain in your development environment.
Finding security artifacts
These steps assume that the development environment uses local file based policy store (jazn-data.xml) and LDAP based identity store; configuration commonly used in customization environments. Using LDAP browser to navigate LDAP based policy store will be covered in future posts.
To determine the user to be used we will first need to look into the jazn-data to understand the role hierarchy and use the information to query the LDAP. First we search the jazn-data.xml for the page that we want to customize, in this example I used "AdminAndMonitorWorkAreaPage":
Next we use the resource name to find the permission set it belongs to (there may be several):
Next we find the application role to which the permission set is granted to (there may be several):
Next we search through the role hierarchy until you we find a enterprise role (aka job role; there could be several), in this case the structure is:
The "PER_HUMAN_RESOURCE_SPECIALIST_JOB" is of class "weblogic.security.principal.WLSGroupImpl", so it is not an application role rather an enterprise role. Since LDAP is used for identity store we will need to look into LDAP for the details of "PER_HUMAN_RESOURCE_SPECIALIST_JOB". Log in using some LDAP browser and navigate:
Under the roles find the one you are interested in e.g. "PER_HUMAN_RESOURCE_SPECIALIST_JOB":
The users / roles that have access to the "PER_HUMAN_RESOURCE_SPECIALIST_JOB" are listed as "uniquemember" on the right. If the value has "cn=users" then its granted to a specific user if it has "cn=groups" then its granted to another role. To access the page you need to use one of the users listed here ("brian james", "brian joseph") or another user that has been granted any of the roles listed here (i.e. "per_human_resource_manager_job"). Once you know the user you will need to contact the administrator for the password.
In order to test the customizations implemented with JDeveloper we will need to know the user with access to the page being customized and the credentials for the user. To determine the user we need to understand the role hierarchy related to the page. Any new permission would be granted at the appropriate level in the role hierarchy.