Skip navigation.

eDocs Home > BEA WebLogic Portal 8.1 Documentation > User Management Guide > Overview of Delegated Administration

User Management Guide

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents View as PDF   Get Adobe Reader

Overview of Delegated Administration

This section provides an overview of delegated administration in WebLogic Portal. Use the WebLogic Administration Portal to configure delegated administration.

This chapter includes the following sections:

 

Using Delegated Administration

Delegated administration provides a mechanism for propagating WebLogic Administration Portal privileges within a hierarchy of roles. A Delegated Administration role is a classification of users based on user name, group membership, or by the user's characteristics (or expressions), such as user profile values or time.

In your organization, you might want individuals to have different rights of access to various administration tasks and resources. For example, a system administrator might have access to every feature in the WebLogic Administration Portal. The system administrator might then create a portal administrator role that could manage instances of portal resources in specific desktop views of your portal, and a library administrator role that can manage your portal resource library.

A role policy consists of a role name and role definition. Delegated Administration roles are mapped to administrative functions on portal resources using security policies. Given the appropriate rights, administrators can delegate both the right to administer a given resource capability and the right for the delegatee to delegate further.

 

Delegated Administration Role Hierarchy

Roles are dynamic classifications of users who meet specific requirements, such as membership in a group, matching user profile property values, and time of day. A role is used to determine whether to grant or deny access to resources, and to determine which capabilities on those resources are available to the user. The role hierarchy defines the structure for Delegated Administration.

The root Delegated Administration role is defined in the Portal Resource tree as Administrators. Any user mapped to this predefined role has unlimited administrative access in the Administration Portal. Only a user with global administrative rights can change the definition of this root Delegated Administration role.

You have flexibility in the way you set up your administration hierarchy and assign rights to your various administrators. You can create different levels of administrators, each with varying degrees of access. You can also create administrators that can, in turn, delegate administration tasks to other users.

WebLogic Portal includes a default system administrator. The system administrator has unlimited access to administrative tasks anywhere within the enterprise portal application. You can create as many different administrators as you need by creating administrator roles and then assigning specific users, user groups, or user characteristics.

Parent Roles and Child Roles

Delegated Administration roles allow you to determine the portal resources that an administrator can access and what actions administrators can take on those resources. A child role has a subordinate relationship to another role (parent) and is used to determine who can delegate to whom. That is, sub-roles are children in the sense that files are children of directories. A user in a role can delegate only to its sub-roles, providing a way to restrict Delegated Administration.

For example:

RoleA can delegate to:

RoleB can delegate to:

The user in RoleA cannot delegate to the sub-roles of RoleB as a "peer" role. RoleA can delegate to any of its descendants. Child roles do not inherit the traits of the parent role. If you delete a child role, you are removing it from the system.

Note: When you are establishing your role hierarchy, keep in mind that child roles within a Delegated Administration role must be unique. For example, you cannot have a Delegated Administration role called RoleA with a child role of RoleB if you already have a child role called RoleB elsewhere in the hierarchy.

 

Setting Up an Administrative Role

You can create Delegated Administration roles at any time. The following process shows all the steps that ensure your administrators are set up correctly:

  1. Model your Delegated Administration hierarchy to fit the needs of your organization.
  2. Create a Role for each administrator type.
  3. Define the role three ways:
  4. Assign Delegated Administration rights to various resources:

For detailed instructions on setting up delegated administration, see the WebLogic Administration Portal online help at http://download.oracle.com/docs/cd/E13218_01/wlp/docs81/adminportal/index.html.

 

Skip navigation bar  Back to Top Previous Next