Security policies specify which users, groups, or security roles can access WebLogic resources. As part of creating a policy, you specify conditions (such as time constraints) under which a user, group, or role can access resources.
You can create a root level policy, which applies to all instances of a specific resource type. For example, you can define a root level policy that applies to all JMS resources in your domain. You can also create a policy that applies to a specific resource instance. If the instance contains other resources, the policy will apply to the included resource as well. For example, you can create a policy for an entire enterprise application (EAR), an EJB JAR containing multiple EJBs, a particular EJB within that JAR, or a single method within that EJB.
The policy of a narrower scope overrides policy of a broader scope. For example, if you create a security policy for an EAR and a policy for an EJB that is in the EAR, the EJB will be protected by its own policy and will ignore the policy for the EAR.
To create security roles in a WebLogic security realm: