This section provides information you need to use the Worklist Users module of Worklist Console. This module allows you to manage users, groups, and roles defined in the default security realm. You must be logged in as a member of the Administrators or IntegrationAdministrators group to add, delete, or modify a user, group, or role. See WebLogic Integration Users, Groups, and Roles.
Users are entities that can be authenticated. Each user is assigned a unique identity within the realm. To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.
Like other components of the platform, WebLogic Integration supports role-based authorization. Although the specific users that require access to the components that make up your WebLogic Integration application may change depending upon the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.
In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to various resources can be configured from the Worklist Console.
Once the roles required for access are set, the administrator can map users or groups to the roles as required.
Unlike membership in a group, which is directly assigned, membership in a security role is dynamically calculated based on the set of conditions that define the role statement. Each condition specifies user names, group names, or time of day. Conditions are joined by conjunction (and) or disjunction (or) commands. When a principal (user) is "in" a role based on the evaluation of the role statement, the access permissions of the role are conferred on the principal. For more information, see Constructing a Role Statement.
A set of default roles are defined for WebLogic Integration as a convenience for use in system management. Additional roles can be created to control access to implementation-specific resources. The roles created using the Worklist Console are created as WebLogic Server global roles.
Note:
The following sections provide information specific to WebLogic Integration. To learn more about protecting resources in a platform-based application, see Understanding WebLogic Security.
Default Roles and Groups
Any domain that supports WebLogic Integration includes a set of default WebLogic Integration roles and groups.
Note:
Worklist does not build knowledge of these roles into its security enforcement. These roles are used in default policy settings installed with new domains via the configuration wizard. However, users can change these default policies to use other non WebLogic Integration-defined roles.
Default Roles
The following table lists the default WebLogic Integration roles. A brief description and initial role definition statement for each is provided. To learn more, see Default Security Policies.
Although you can update the role statement associated with a default role, you cannot delete these roles.
Note:
In addition to the default WebLogic Integration roles, there are also a number of default WebLogic Server roles. See "Default Global Roles" in Users, Groups, And Security Roles in Securing WebLogic Resources Using Roles and Policies.
Default Role
Description
Initial Role Statement
IntegrationAdmin
The WebLogic Integration administrator role. Typically, users granted this role are responsible for administrative activities across Worklist system instances and task plans. For more information, see Default Security Policies.
Groups:(IntegrationAdministrators,Administrators)
IntegrationDeployer
The WebLogic Integration deployer role. Typically, users granted this role are responsible for deploying, configuring and maintaining WebLogic Integration applications. For more information, see Default Security Policies.
Groups:(IntegrationDeployers)
IntegrationMonitor
The WebLogic Integration monitor role. Typically, users granted this role monitor the health of a WebLogic Integration application, but are not authorized to make any modifications to an application. For more information, see Default Security Policies.
Groups:(IntegrationMonitors,Monitors)
IntegrationOperator
The WebLogic Integration operator role. Typically, users in this role make routine or scheduled changes to resources. They generally do not have full administrative permissions. For more information, see Default Security Policies.
Groups:(IntegrationOperators,Operators)
IntegrationUser
The default WebLogic Integration user role. When first created, all users are assigned to the IntegrationUser role.
Groups:(IntegrationUsers)
Default Groups
The following table lists the default groups:
Default Role
Description
IntegrationAdministrators
The WebLogic Integration administrator group. This group is assigned to the IntegrationAdmin role and all members inherit that role.
IntegrationDeployers
The WebLogic Integration deployers group. This group is assigned to the IntegrationDeployer role and all members inherit that role.
IntegrationMonitors
The WebLogic Integration monitor group. This group is assigned to the IntegrationMonitor role and all members inherit that role.
IntegrationOperators
The WebLogic Integration operator group. This group is assigned to the IntegrationOperator role and all members inherit that role.
IntegrationUsers
The WebLogic Integration user group. This group is assigned to the IntegrationUser role and all members inherit that role.
Note:
In addition to the default WebLogic Integration groups, there are also a number of default WebLogic Server groups. See "Default Groups" in Users, Groups, And Security Roles in Securing WebLogic Resources Using Roles and Policies.
Security Provider Requirements for User Management
The ability to define users and groups, and to configure security for Worklist resources is dependent on the availability of an authenticator that implements the following MBeans:
UserEditor
GroupEditor
GroupMemberLister
MemberGroupLister
If there is no authenticator that implements all the above MBeans, all functionality in the Worklist Console related to configuring users or groups, or to granting specific privileges to users or groups, is disabled.
As described in Understanding WebLogic Security, it is possible to run more than one security provider at a time. If multiple authenticators are running, the Worklist console allows you to specify in which provider to create a user or group. Worklist will query users and groups by name from any configured provider.
To learn more about WebLogic Server security realms and security providers, see "Security Realms" in Understanding WebLogic Security.
Listing and Locating Users
The Summary of Users page lists all the users defined in the default security realm.
To list and locate users:
In Worklist Console, click the Worklist Users module and click Users in the left panel to view the Summary of Users page.
To locate a specific user, do one of the following:
Filter by user name. Enter the search target (use * to match zero or more characters.), then click Search. The users matching the search criteria are displayed.
Resort the list. Ascending and descending arrow buttons indicate sortable columns. Click the button to change the sort order.
Scroll through the pages. Use the controls in the lower left corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next , previous , first , or last page.
The Add New User - General Configuration page allows you to create a new user.
To add a user:
In Worklist Console, select the Worklist Users module.
From the left panel, select Users. You can view the Summary of Users page.
Click Add User. The Add New User - General Configuration page appears.
Enter a unique name for the user.
Note:
The name must be unique across users and groups. That is, you cannot create a user that has the same name as a group.
Enter a password associated with the user.
Note:
The password must be at least 8 characters long.
Re-enter the password for confirmation.
Select the authentication provider from the drop-down list.
If required, assign the user to one or more groups as follows:
From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
Click the icon to move the selected groups to the Current Groups list.
If required, click the icon to remove groups from the Current Groups list.
Click Save.
You can view the new user in the Summary of Users page.
The View User Details page displays the user properties. If you are logged in with sufficient privileges, you can access the Edit User Details page to make changes to the user properties.
Click the user name to display the View User Details page.
The user name, authentication provider, and group membership are displayed.
To change user properties:
On the View User Details page, click Reconfigure.
To update the password:
In the New Password field, enter the new password.
Note:
The password must be at least 8 characters long.
In the Confirm Password field, enter the new password again.
Add or remove group assignments as follows:
To add groups:
a. From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the icon to move the selected groups to the Current Groups list.
To remove groups:
a. From the Current Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the icon to move the selected groups to the Available Groups list.
Do one of the following:
To update the user, click Save.
The View and Edit Users page is displayed.
To disregard the changes and return to the View and Edit Users page, click Cancel.
The Summary of Groups page lists all the groups defined in the default security realm.
To list and locate groups:
In Worklist Console, click the Worklist Users module and click Groups in the left panel to view the Summary of Groups page.
To locate a specific group, do one of the following:
Filter by group name. Enter the search target (use ? to match any single character or * to match zero or more characters.), then click Search. The groups matching the search criteria are displayed.
Resort the list. Ascending and descending arrow buttons indicate sortable columns. Click the button to change the sort order.
Scroll through the pages. Use the controls in the lower left corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next , previous , first , or last page.
The Add New Group page allows you to add a new group.
To add a group:
In Worklist Console, select the Worklist Users module.
From the left panel, select Groups. You can view the Summary of Groups page.
Click Add Group. The Add New Group page appears.
Enter a unique name for the group.
Note:
The name must be unique across users and groups. That is, you cannot create a group that has the same name as a user.
Select the authentication provider from the drop-down list.
To make this group a member of one or more other groups, do the following:
From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
Click the icon to move the selected groups to the Current Groups list.
If required, click the icon to remove groups from the Current Groups list.
Note:
To make another group a member of this new group, you must update the membership assignments for that group. For more information, see Viewing and Changing Group Properties.
Click Save.
You can view the new user in the Summary of Groups page.
The View Group Details page displays group properties. If you are logged in with sufficient privileges, you can access the Edit Group Details page to make changes.
Click the group name to display the View Group Details page.
The name assigned to the group, authentication provider, and all the groups in which the current group is a member are displayed.
To change group properties:
On the View Group Details page, click Reconfigure. The Edit Group
Add or remove group membership assignments as follows:
To add groups:
From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
Click the icon to move the selected groups to the Current Groups list.
To remove groups:
From the Current Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
Click the icon to move the selected groups to the Available Groups list.
Do one of the following:
To update the group, click Save Changes.
The View and Edit Groups page is displayed.
To disregard the changes and return to the View and Edit Groups page, click Cancel.
To determine who is in a security role at runtime, a role contains one or more conditions. For example, a basic role might simply name the Administrator group. At runtime, the WebLogic Security Service interprets this policy as "place the Administrator group in this role." For more information, see Adding Conditions to a Role Statement.
You can create more complex conditions and combine them using the logical operators AND and OR (which is an inclusive OR). You can also negate any condition, which would make sure that a user is not in the role. The entire collection of conditions must be true for a user or group to be granted the security role.
After you have added conditions to the statement, you can update the joining commands, move the position of a condition, combine conditions, delete conditions, or negate a condition. For more information, see Modifying the Role Statement.
Adding Conditions to a Role Statement
If you are logged in with sufficient privileges, you can add conditions from the Global Role Conditions page. The Global Role Conditions page is displayed when you select a role from the Global Roles list. See Listing and Locating Roles.
When you add a condition to a role statement, you can use any of the existing predicates or policy conditions. Each predicate is a predefined role statement that can be used to define the security policy statement. For each predicate, you need to edit the arguments that are associated with that predicate.
These predicates include:
Basic role conditions that include adding specified users or groups to the role, allowing or denying access to everyone, and so on.
Date and time based role conditions, which are used to grant access to the principals based on the date or time you specify.
Context element role conditions, which are used to create security roles based on the value of HTTP Servlet Request attributes, HTTP Session attributes, and EJB method parameters.
For more information, see "Security Role Conditions" in Users, Groups, And Security Roles in Securing WebLogic Resources Using Roles and Policies.
To add a group to the role:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Group from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Specify the group name and click Add.
You can add one or more groups to this role. If you add multiple groups, the condition evaluates as true if the user is a member of ANY of the groups associated with this role.
Note:
To remove any group, select the group in the Remove list and click Remove.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add a users to the role:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select User from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Specify the user name and click Add.
You can add one or more users to this role.
Note:
To remove any user, select the user in the Remove list and click Remove.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only on specified days of the week:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs on specified days of the week from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the day of the week on which principals will be assigned to this role.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only between a specified time:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs between specified hours from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the start time and the end time between which principals will be assigned to this role. Enter time in hh:mm AM|PM format.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only when the context element's value is greater than a numeric constant:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Context element's value is greater than a numeric constant from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the name of the context element.
Enter a numeric value. Principals are assigned to this role based on the specified context element's value being greater than this number.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To deny access to everyone:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Deny Access to everyone from the Predicate List drop-down list.
Click Finish.
All users and groups are denied access to this role.
To add principals to this role only when the context element's value is equal to a numeric constant:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Context element's value equals a numeric constant from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the name of the context element.
Enter a numeric value. Principals are assigned to this role based on the specified context element's value being equal to this number.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only before a specified date:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs before from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the date before which principals will be assigned to this role. Enter date in m/d/yy or m/d/yy hh:mm:ss AM|PM format.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only on the specified day of the month:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs on the specified day of the month from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the day of the month on which principals will be assigned to this role.
Principals will be assigned to this role only after an ordinal day in the month. Enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only when the context element's value is equal to a string constant:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Context element's value equals a string constant from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the name of the context element.
Enter a string value. Principals are assigned to this role based on the specified context element's value being equal to this string value.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals only when the defined context element is available:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Context element defined from the Predicate List drop-down list.
Click Finish.
Principals are assigned to this role only when the specified context element exists.
To allow access to everyone:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Allow Access to everyone from the Predicate List drop-down list.
Click Finish.
All users and groups are assigned to this role.
To add principals only after a specified date:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Allow access after from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the date after which principals will be assigned to this role. Enter date in m/d/yy or m/d/yy hh:mm:ss AM|PM format.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals only before the specified day of the month:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs before the specified day of the month from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the day of the month before which principals will be assigned to this role.
Principals will be assigned this role only before an ordinal day in the month. Enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals to this role only when the context element's value is less than a numeric constant:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Context element's value is less than a numeric constant from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the name of the context element.
Enter a numeric value. Principals are assigned to this role based on the specified context element's value being less than this number.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals only after the specified day of the month:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Access occurs after the specified day of the month from the Predicate List drop-down list.
Click Next. The Edit Arguments page appears.
Enter the day of the month after which principals will be assigned to this role.
Principals will be assigned this role only after an ordinal day in the month. Enter the ordinal number of the day within the current month with values in the range from -31 to 31. Negative values count back from the end of the month, so the last day of the month is specified as -1. 0 indicates the day before the first day of the month.
Enter the GMT offset. If the time zone in your location is ahead of GMT, enter GMT + hh:mm and if time zone in your location is behind GMT, enter GMT -hh:mm.
Click Finish.
The condition is added to the role statement and displayed on the Global Role Conditions page.
To add principals only when Server is running in development mode:
On the Global Role Conditions page, click Add Condition. The Choose a Predicate page appears.
Select Server is in development mode from the Predicate List drop-down list.
Click Finish.
Users and groups will be assigned to this role only when the server is running in development mode.
Modifying the Role Statement
If you are logged in with sufficient privileges, you can update the conditions in the role statement, move the position of the conditions, or delete conditions from the Global Role Conditions page.
To update a condition:
On the Global Role Conditions page, click the value associated with the role condition. The Edit Arguments page appears.
Make required changes and click Finish. You return to the Global Role Conditions page.
Click Save.
The condition is updated.
In addition to updating a condition, you can use the following action buttons to modify the role statement:
Action button
Click this button to
Add Condition
Add a condition to the role statement
Combine
Combine two or more conditions in the role statement. Select the check box next to the conditions that you want to combine.
Conditions in the combination are first validated before moving to the next condition in the role statement.
Uncombine
Remove the combine relation between conditions in a combination. Select the check box next to Combination before you click this action button.
Move Up
Move up the validation order of the selected condition.
Move Down
Move down the validation order of the selected condition.
Remove
Delete a selected condition from the role statement. Click the check box next to the condition to select it for deletion.
Negate
Negate a selected condition. That is, apply the NOT binary operation on the condition. For example, if the condition is NOT Group: Deployer, it means that all groups except the Deployer group are associated with the role.
The View Role Conditions page displays the role statement. If you are logged in with sufficient privileges, you can access the Edit Role Details page to make changes.
and descending 
arrow buttons indicate sortable columns. Click the button to change the sort order.
, previous 
, first 
, or last 
page.
icon to move the selected groups to the Current Groups list.
icon to move the selected groups to the Available Groups list.
icon. A confirmation message appears. Click OK. 
