Finding Code Artifacts for Customization (Part 3)

This series of documents is intended to illustrate the options that we have to map UIs to code artifacts and to inspect their structure. In previous articles we covered the process for finding code artifacts for customizations using the Page Composer and finding ADFbc objects related to the page using the JDeveloper.   In this article we will look at mapping security permissions to roles and users.

In order to test the customizations we will need to know the user with access to the page and the credential for the user.  While the user can be determined from the policy and identity stores the credential cannot and as such credential must be obtained from the system administrator.

These steps assume that the reader is familiar with the concepts of Fusion Application security such as roles and permissions covered in Fusion Security (Part 1: Overview) .

Prerequisites

In order to follow this article you will need the ability to query LDAP repository containing the users and enterprise roles. The LDAP can be queried using various tools such as Authorization Policy Manager (APM) or various other browsing tools. In this article we use jxplore, open source option that can be downloaded here. Once installed provide the connection information e.g.:
Figure 1: LDAP connection

The connection details are the same that were used when creating the Integrated WLS domain in your development environment.

Finding security artifacts

These steps assume that the development environment uses local file based policy store (jazn-data.xml) and LDAP based identity store; configuration commonly used in customization environments. Using LDAP browser to navigate LDAP based policy store will be covered in future posts.

To determine the user to be used we will first need to look into the jazn-data to understand the role hierarchy and use the information to query the LDAP. First we search the jazn-data.xml for the page that we want to customize, in this example I used "AdminAndMonitorWorkAreaPage":

Figure 2: Resource

Next we use the resource name to find the permission set it belongs to (there may be several):

Figure 3: Permission Set

Next we find the application role to which the permission set is granted to (there may be several):

Figure 4: Application Roles

Next we search through the role hierarchy until you we find a enterprise role (aka job role; there could be several), in this case the structure is:

PER_HUMAN_RESOURCE_SPECIALIST_JOB
--> HRT_TALENT_HR_SPECIALIST_DUTY
----> HRA_PERFORMANCE_MGT_HR_SPECIALIST_DUTY
------> HRA_MONITOR_PERFORMANCE_DOCUMENT_MISSING_PRIV

Figure 5: More Application Roles


Figure 6: Even more Application Roles

The "PER_HUMAN_RESOURCE_SPECIALIST_JOB" is of class "weblogic.security.principal.WLSGroupImpl", so it is not an application role rather an enterprise role. Since LDAP is used for identity store we will need to look into LDAP for the details of "PER_HUMAN_RESOURCE_SPECIALIST_JOB". Log in using some LDAP browser and navigate:

Figure 7: Fusion Enterprise Roles

Under the roles find the one you are interested in e.g. "PER_HUMAN_RESOURCE_SPECIALIST_JOB":

Figure 8: Fusion Enterprise Role

The users / roles that have access to the "PER_HUMAN_RESOURCE_SPECIALIST_JOB" are listed as "uniquemember" on the right. If the value has "cn=users" then its granted to a specific user if it has "cn=groups" then its granted to another role. To access the page you need to use one of the users listed here ("brian james", "brian joseph") or another user that has been granted any of the roles listed here (i.e. "per_human_resource_manager_job"). Once you know the user you will need to contact the administrator for the password.

Summary

In order to test the customizations implemented with JDeveloper we will need to know the user with access to the page being customized and the credentials for the user.  To determine the user we need to understand the role hierarchy related to the page. Any new permission would be granted at the appropriate level in the role hierarchy.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Follow us on twitter Fusion Applications Extensibility, Customizations and Integration forum Fusion Applications Dev Relations YouTube Channel
This blog offers news, tips and information for developers building extensions, customizations and integrations for Oracle Fusion Applications.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
4
5
6
8
11
12
13
15
16
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today