As an administrator, you have a number of options available to attach/remove OWSM-based security policies to web service components deployed in your infrastructure. If you have a standard web service available inside a WAR application, policies can be attached to it from even the Oracle WebLogic Server Administration Console. For SOA composites, from Oracle Enterprise Manager Fusion Middleware Control, you can navigate to the particular service, component, or reference and attach a predefined or custom policy to them. Then, you have your reliable friend, that is, WLST, which offers handy and convenient ways to list, attach, detach, enable, and/or disable security policies for your service artifacts.

Having said this, the question on which you can deliberate is when to use which approach. If you like scripting things out once and then applying them whenever...