After a user is authenticated, further access to Publisher resources is controlled by the granting of permissions, also known as authorization.

The policy store contains the system and application-specific policies and roles required for Publisher. A policy store can be file-based or LDAP-based and holds the mapping definitions between the default Publisher application roles, permissions, users and groups. Publisher permissions are granted by mapping users and groups from the identity store to application roles and permission grants located in the policy store. These mapping definitions between users and groups (identity store) and the application roles (policy store) are also kept in the policy store.

The system-jazn-data.xml file is installed and configured as the default policy store. You can continue to use the default store and modify it as needed for your environment, or you can migrate its data to an LDAP-based provider.

The policy store and credential store must be of the same type in your environment. That is, both must be either file-based or LDAP-based.

Permissions must be defined in a manner that Publisher understands. All valid Publisher permissions are premapped to application policies, which are in turn premapped to the default application roles. You cannot create new permissions in the policy store. However, you can customize the default application policy permission grants and application role mappings and you can create your own.

For more information about the default Publisher permissions grants, see Default Application Roles and Permissions. For more information about customizing application roles and permission grants, see Customize the Policy Store.