Protecting System Administration Operations

To leverage individual skills, many Web development teams divide system administration responsibilities into distinct roles. Each project might give only one or two team members permission to deploy components, but allow all team members to view the WebLogic Server configuration. A WebLogic Server supports this role-based development by providing four global roles that determine access privileges for system administration operations: Admin, Deployer, Operator, and Monitor.

All WebLogic Server system administration operations are implemented via a set of MBeans. An MBean is a type of Java object that is specified in the Java Management Extensions (JMX). When a user tries to invoke operations on these system-administration MBeans, the WebLogic Server determines whether the user belongs to a role that is permitted to carry out the operation. For more information on MBeans that configure WebLogic Servers, refer to System Administration Infrastructure.

This topic contains the following sections:

• Operations Available to Each Role
• Protected User Interfaces
• Permissions for Starting and Shutting Down a WebLogic Server

Note: These role-based permissions replace access control lists (ACLs) for securing WebLogic Server MBeans, which were used before Release 7.0.

 

---

Operations Available to Each Role

Table 8-1 describes the four global roles that WebLogic Server uses to determine access privileges for system administration operations, and the permissions granted to each role.

Table 8-1 Global Roles and Permissions

Global Role	Permissions
Admin	View the server configuration, including the encrypted value of encrypted attributes. Modify the entire server configuration. Deploy applications, EJBs, startup and shutdown classes, J2EE Connectors, and Web Service components, and edit deployment descriptors. Start, resume, and stop servers by default. Permissions for Starting and Shutting Down a WebLogic Server, provides more information.
Deployer	View the server configuration, except for encrypted attributes. Deploy applications, EJBs, startup and shutdown classes, J2EE Connectors, and Web Service components, and edit deployment descriptors.
Operator	View the server configuration, except for encrypted attributes. Start, resume, and stop servers by default. Permissions for Starting and Shutting Down a WebLogic Server, provides more information.
Monitor	View the server configuration, except for encrypted attributes. This role effectively provides read-only access to the Administration Console, weblogic.Admin utility and MBean APIs.

No user, regardless of role membership, can view the non-encrypted version of an encrypted attribute.

While you can create any number of additional roles for use in your applications, only the roles in Table 8-1 have permission to view or change the configuration of a WebLogic Server. To define a role, use the Administration Console. For more information, refer to Granting Roles in the Managing WebLogic Security guide.

Default Group Associations

By default, a WebLogic Server defines four groups that correspond to the four global roles. By adding a username to one of these groups, the user will also be in the corresponding global role. (See Table 8-2.)

Table 8-2 Default Group Associations

Members of This Group	Are In This Role
Administrators	Admin
Deployers	Deployer
Operators	Operator
Monitors	Monitor

Membership in a group is a static identity that a system administrator assigns, while membership in a role can be dynamically calculated based on data such as group membership, username, or the time of day. (See Figure 8-1.)

Figure 8-1 Relationship of Group and Role Membership

 

For example, if you add a user to the group named Deployers, by default the user will also belong to the Deployer role. You can, however, modify the default definition of the Deployer role so that a user named User1 is in the Deployer role from 6am to 6pm, and a user named User2 is in the role from 6pm to 6am.

When you use the Configuration Wizard to create WebLogic Server configuration, the administrative user that you create is in the Administrators group, and, therefore, the Admin role. The Deployers, Operators, and Monitors groups are empty.

For information on creating users and assigning them to roles, refer to Defining Users and Granting Roles in the Managing WebLogic Security guide.

 

---

Protected User Interfaces

You can use the following user interfaces (UIs) to perform system administration operations:

• The Administration Console. For information about using this UI, refer to the Administration Console Online Help.

Note: To use the Administration Console, you must belong to one of the groups and roles that are described in Table 8-2. The other user interfaces do not require you to belong to one of the default groups.

• The weblogic.Admin command. For information about using this UI, refer to "weblogic.Admin Command-Line Reference" in the WebLogic Server Command Line Reference.
• MBean APIs. For information about using these APIs, refer to the Programming WebLogic JMX Services guide.

If you attempt to invoke an operation for which you do not have permission, the WebLogic Server instance throws a weblogic.management.NoAccessRuntimeException. The server instance sends this exception to its log file, and you can configure a server to send exceptions to standard out. If you invoke the command from the Administration Console, you see an Access denied error.

 

---

Overlapping Permissions for System Administration MBeans and Policies on Resources

For a few, specific operations, the MBean permissions described in previous sections overlap with another security scheme, policies on resources. In these cases, a user must satisfy both security schemes to invoke the operation.

This section contains the following subsections:

• Resources and Policies
• Working with Policies
• Maintaining a Consistent Security Scheme

Resources and Policies

A WebLogic Server instance, the server's subsystems (such as Deployment Manager and JDBC Container), and the items that the subsystems control (such as Web applications and JDBC connection pools) are called resources. Each WebLogic Server resource exposes a set of its operations through its own instance of the weblogic.security.spi.Resource interface.

A policy is a set of criteria that determines who can access the Resource interface for a resource. For example, the Resource interface for a server resource exposes operations that start, shut down, lock, or unlock the server instance. You can define a policy that determines who can access the server's Resource interface and its methods.

In some cases, the operations that the Resource interface exposes change attributes of WebLogic Server MBeans. In these cases, the permissions specified by the policy must agree with the role-based protections of MBean attributes. (See Figure 8-2.)

Figure 8-2 Overlapping Permissions for Server Policies and MBeans

 

Working with Policies

You can view, create, or modify policies on resources from the Administration Console. For example, to view the policy on a server resource, right click the name of a WebLogic Server and choose Define Policy. As illustrated in Figure 8-3, the default policy for a server resource grants access to the Admin and Operator role.

Figure 8-3 Default Policy for a Server Resource

 

Note that a server resource inherits a default policy. If you want to change the inherited policy statement for all WebLogic Server instances in a domain, do the following from the Administration Console:

1. Right-click the Servers node.
2. From the shortcut menu, click Define Policy.
3. In the right pane, modify the policy and click Apply.

For more information on creating and modifying policies, refer to Setting Protections for WebLogic Resources in the Managing WebLogic Security guide.

Maintaining a Consistent Security Scheme

The default configuration of groups, roles, server policies, and MBean permissions work together to create a consistent security scheme. You can, however, make modifications that limit access in ways that you do not intend.

For example, if you add a user to the Operator role but fail to add the Operator role to the policy of a server resource, the Operator can call MBean methods that are used in the startup and shutdown sequence, but cannot use any server-resource operations to start or stop a server.

To keep MBean security synchronized with the permissions granted by policies, consider the following when you create or modify a policy:

• Consider always giving the Admin role access to a resource.
• For a policy on a server, consider adding the Operator role.
• For a policy on a deployable resource (such as an EJB, Application, Connector, or Startup/Shutdown class), consider adding the Deployer role.

In addition, note that if a user does not belong to one of the four groups described in Table 8-2, the user cannot log in to the Administration Console.

 

---

Permissions for Starting and Shutting Down a WebLogic Server

WebLogic Server enables two techniques for starting and shutting down server instances, the weblogic.Server command and the Node Manager. Because the underlying components for weblogic.Server and Node Manager are different, the two commands use different authentication methods.

This section contains the following subsections:

• Permissions for Using the weblogic.Server Command
• Permissions for Using the Node Manager
• Shutting Down a WebLogic Server

Permissions for Using the weblogic.Server Command

The weblogic.Server command, which starts a WebLogic Server from a local host machine, calls methods that are protected by a policy on the server resource. To use this command, you must satisfy the requirements of the policy on the server.

Some weblogic.Server arguments set attributes for MBeans. However, because these arguments modify an MBean before the server is in the RUNNING state, the policy on the server resource, not the MBean security scheme, is the authorizer. For example, a user in the Operator role can use the -Dweblogic.ListenPort argument to change a server's default listen port, but once the WebLogic Server is running, the Operator user cannot change the listen port value.

For more information about weblogic.Server, refer to "Starting in Development Mode or Production Mode" in the Administration Console Online Help.

Permissions for Using the Node Manager

The Node Manager uses both MBeans and the server resource to start a remote server.

If you have configured a Node Manager on the host machine of a remote WebLogic Server, by default a user in the Admin or Operator role can use the Node Manager to start the remote server.

You must make sure that any modifications you make to the default security settings do not prevent a user from being authorized by both MBean security and the server policy. For example, if you remove the Operator role from a server policy, the Operator can still call MBean methods but cannot call the server resource.

For information about the Node Manager, refer to "Managing Server Availability with Node Manager" in the Configuring and Managing WebLogic Server guide.

Shutting Down a WebLogic Server

Shutting down a WebLogic Server also involves both MBeans and the server resource. When you issue a shutdown command, the server first determines whether you are a member of the Admin or Operator role (per the MBean security scheme). Then, after the MBean operations run, the server determines whether the policy on the server resource authorizes you to shut down the server.