Adding Policy Conditions

  1. Access the policy editor for an access control policy. See Editing Transport-Level Access Policies or Editing Message-Level Access Policies.
  2. In the policy editor, under Policy Conditions, click Add Condition.
  3. The following prompt is displayed:

    Choose the predicate you wish to use as your new condition

  4. Select a predicate from the list.
  5. Click Next. Depending on what you chose for your condition predicate, do one of the following steps, shown in Table 22-12.
  6. Table 22-12 Condition Predicate Options 
    If You Selected...
    Complete These Steps...
    Role
    (For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
    1. In the Role Argument Name field, enter the role to which you want to grant access.
    2. If you have not already created the role that you entered in this field, you can do so after you finish creating access control policies. See Adding Roles. If you do not create this role, then no one will be granted access.

    3. Click Add.
    4. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
    5. Do one of the following:
    6. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Group
    (For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
    1. In the Group Argument Name field, enter the group to which you want to grant access.
    2. If you have not already created the group that you entered in this field, you can do so after you finish creating access control policies. See Adding Groups. If you do not create this group, then no one will be granted access.

    3. Click Add.
    4. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
    5. Do one of the following:
    6. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    User
    (For transport-level security, this condition applies only if the proxy service uses a protocol that enables a client to supply credentials.)
    1. In the User Argument Name field, enter the user to which you want to grant access.
    2. If you have not already created the user that you entered in this field, you can do so after you finish creating access control policies. See Adding Users. If you do not create this user, then no one will be granted access.

    3. Click Add.
    4. If necessary, repeat steps 1 and 2 until you have finished adding arguments. You can click Remove to remove the arguments from the list.
    5. Do one of the following:
    6. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Access occurs on specified days of the week
    1. In the Day of week field, enter the day of the week.
    2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
    3. Do one of the following:
    4. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Access occurs between specified hours
    1. In the Starting Time field, enter the earliest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
    2. In the Ending Time field, enter the latest permissible time in the format hh:mm:ss AM|PM. For example, enter 12:45:00 AM.
    3. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
    4. Do one of the following:
    5. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Access occurs before or Access occurs after
    1. In the Date field, enter a date in the format mm/dd/yy. For example, enter 1/1/04. You can add an optional time in the format hh:mm:ss AM|PM. For example, you can enter 1/1/04 12:45:00 AM.
    2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
    3. Do one of the following:
    4. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Access occurs on a specified day of the month, Access occurs before a specified day of the month, or Access occurs after a specified day of the month
    1. In the The day of the month field, enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
    2. In the GMT offset field, enter the time ahead of GMT in the format GMT+hh:mm, or behind GMT in the format GMT-hh:mm. For example, Eastern Standard Time in the USA is GMT-5:00.
    3. Do one of the following:
    4. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Context element's value equals a string constant
    (Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
    1. In the Context element name field, enter the name of the context element for which to evaluate the value. See Context Properties Are Passed to Security Providers for possible values.
    2. In the String Value field, enter the string value that you want to compare.
    3. Do one of the following:
    4. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Context element's value is greater than a numeric constant, Context element's value equals a numeric constant, or Context element's value is less than a numeric constant
    (Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
    1. In the Context element name field, enter the name of the context element for which to evaluate the value. See Context Properties Are Passed to Security Providers for possible values.
    2. In the Numeric Value field, enter a numeric value.
    3. Do one of the following:
    4. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Context element defined
    (Applies only to transport-level security. A context element is a parameter/value pair that a container such as a Web container can optionally provide to a security provider. Context elements are not available for message-level access control policies.)
    1. In the Context element name field, enter the name of the context element. See Context Properties Are Passed to Security Providers for possible values.
    2. Do one of the following:
    3. To save the arguments and return to the predicate list, click Finish.

      To discard the changes and return to the predicate list, click Back.

      To discard the changes and return to the View Policy Details page, click Cancel.

    Deny access to everyone, Allow access to everyone or Server is in development mode
    Click Finish.
    Alternatively, you can click Cancel to discard the changes and return to the View Policy Details page.

  7. If necessary, repeat steps 3-5 to add expressions based on different policy conditions. In the Policy Conditions section, you can do the following steps, shown in Table 22-13, to modify the expressions.
  8. Table 22-13 Policy Conditions Options 
    To...
    Complete These Steps...
    Change the ordering of the selected expression.
    Select the check box associated with the condition, then click Move Up and Move Down.
    Merge or unmerge policy conditions and switch the highlighted and or statements between expressions.
    Select the check box associated with the appropriate conditions, then click Combine and Uncombine.
    Make a condition negative; for example, NOT Group Operators excludes the Operators group from the policy.
    Select the check box associated with the condition, then click Negate.
    Delete a selected expression.
    Select the check box associated with the condition, then click Remove.

Related Topics

See Security Policy Conditions in Securing WebLogic Resources.