| Oracle® Web Services Manager Administrator's Guide 10g (10.1.3.3.0) Part Number E10299-01 |
|
|
View PDF |
| Oracle® Web Services Manager Administrator's Guide 10g (10.1.3.3.0) Part Number E10299-01 |
|
|
View PDF |
This chapter describes how to configure Oracle Web Services Manager (Oracle WSM) roles.
This chapter includes the following sections:
Note:
The concepts of groups and roles do not apply to Oracle WSM when it is installed as part of Oracle Application Server 10g Release 3 (10.1.3.1.0).To control access to Oracle WSM components and operations, you assign user groups defined in your environment to Oracle WSM administrative roles. First, assign the Oracle WSM administrative roles to the groups defined and stored in your database or maintained in your LDAP server. Then, specify which groups are authorized to administer individual components (gateways and agents) and individual Web services managed by Oracle WSM.
Note:
For details on configuring Oracle WSM to use either the Oracle WSM Database or your own LDAP server to manage users and groups, see "Configuring the Oracle WSM Authentication Source".| Role | Description |
|---|---|
|
Super User |
This is the primary Oracle WSM role, whose group members are responsible for the Oracle WSM site installation and deployment. Super User group members can access all features and perform all operations for any administrative component, PEP, or managed service. This includes adding, editing, or deleting components and their associated services. Only one group can be assigned the role of Super User. The Super User can delegate administrator responsibility for an installation to the Domain Administrator role and can assign user groups to other Oracle WSM roles. |
|
Domain Administrator |
The group assigned to this role is typically responsible for the day-to-day operations and management of an Oracle WSM system. Domain administrators have the same access rights as the Super User, and they can perform the same operations on all components and managed services. Domain Administrators can assign users to any role, except Super User and Domain Administrator. Only one group can be assigned the role of Domain Administrator. A Domain Administrator typically delegates administrator responsibility for individual components to groups assigned the Component Administrator role. |
|
Component Administrator |
Groups assigned to the Component Administrator role are given administrator responsibility for a specific component. Component Administrators directly administer or delegate administrator responsibility for managed services associated with the component. Component Administrators can edit the details of a component as well as add, edit, or delete managed services and routing associated with a component. They cannot, however, add, delete or remove the component nor can they change the registration details for a component. |
|
Component Support |
Groups assigned to the Component Support role are given support access to a specific component. Users assigned to the Component Support role can view information about the assigned component and its associated services. They are not allowed to add, edit, or change details of either the components or its associated services. |
|
Service Administrator |
Groups assigned to the Service Administrator role are given administrator responsibility for a specific service. Service Administrators can view and edit details and policy steps of the service. They cannot change service registration details, delete the service, or add new services. |
|
Service Support |
Groups assigned to the Service Support role can access a specific service. Users assigned to this role can view details and policy steps of the service. They are not allowed to edit service details, add or delete services. |
When a user logs in to Web Services Manager Control, Oracle WSM automatically maps the group to which the user belongs with the role to which the group is assigned. Oracle WSM then determines what component and managed Web services that user is allowed to access and administer. For example, a user belongs to the group CSV.Admin.Gateway1, which is mapped to an Oracle WSM Administrator role and is given access to a gateway component. This user can automatically view and administer that gateway and its associated services when he or she logs in to Web Services Manager Control. At the same time, other users belonging to groups assigned to roles with fewer permissions will be restricted in the operations they are able to perform on the same gateway and its associated services.
Before you can assign groups within your organization to Oracle WSM roles, you must first assign a group to the role Super User. This group must be added to the Oracle WSM Database by logging in to the Oracle WSM Database and executing the following SQL command:
INSERT INTO GROUP_ROLE_MAPPINGS VALUES ('group_name',1,'Y')
The variable group_name is the name of the group to which you want to assign the role Super User.
Once this group has been added, members of this group can assign a group to the Domain Administrator role and other Oracle WSM roles. See"Assigning Oracle WSM Roles" for more information.
One of the first tasks the Super User should perform after installing Oracle WSM is assigning a group to the Oracle WSM Domain Administrator role. The Super User or Domain Administrator can then assign other groups to roles that administer or support individual components or managed services. It is important that users assigned to Oracle WSM Super User and Domain Administrator roles be familiar with the group roles and user membership existing within their own organization, before they start to assign those groups to Oracle WSM roles.
Only users logged in as Super User or Domain Administrator can assign groups to roles. Component Administrators and Component Support users can view the role assignments, but they cannot remove or add new assignments.
Log in to the Oracle WSM Web Services Manager Control as Super User or Domain Administrator.
Click Administration, then click Groups/Roles.
In the example (Figure 7-1), the List of Group Role Mappings page shows a group already assigned to the Domain Administrator role. The page also shows different groups assigned to component administrator, service administrator, and service support roles. If you assign multiple groups to the same role, this allows you to distribute the management of components and services amongst multiple groups.
To add a new group/role mapping (assignment), click Add New Group/Role.
At the top of the page (Figure 7-2), there is the following instruction: Enter the name of the group exactly as it is defined in the source.
The term source is replaced with either the word Database or LDAP Repository. This instruction indicates whether your installation is using groups stored in a database or in an LDAP server.
Enter the name of the group in the Group Name field, and select a role from the Role Name list.
Assign groups within your organization to Service Administrator and Service Support roles.
Click Save.
After groups have been assigned to roles, Domain Administrators will be able to add Component Administrator and Component Support group access to individual components when adding or editing the registration details of a component by selecting Policy Management, and then selecting Manage Policies. For example, when adding a new component, the Web Services Manager Control displays the following page:
In the Component Groups section, the group of the currently logged-in Domain Administrator will automatically appear in the list of groups having access to the new component. (The list is on the left side in Component Groups section.)
When logged in as a Domain Administrator, you can add additional groups allowed to access the new component with modify or view-only permissions. To do that, select one ore more groups from one or more of the lists on the right side of the display, then click Add.
Similarly, Component Administrators (as well as the Super User and Domain Administrators) can add Service Administrator and Support group access to individual services when adding or editing details of a service. To do that, select Policy Management, and then select Register Services. When you create a new service or edit the details of an existing service, use the Service Groups section to specify group access.
You can configure Oracle WSM to use either a database or an LDAP server to manage users and groups by editing the ORACLE_HOME/owsm/config/ccore/ ui-config-installer.properties file.
The user and group management parameters are defined in the section labelled UI authentication properties. This section provides default settings for two different authentication methods:
Database
LDAP server
The properties file includes the following parameters for the database:
ui.authentication.provider=com.cfluent.accessprovider.sampledb\
.LocalDBAuthProvider
ui.authentication.provider.properties=\
dbConnectionUrl=jdbc:oracle:thin:@sunserver5:1521:CCORE|\
dbDriver=oracle.jdbc.driver.OracleDriver|\
dbUser=cfluentdev|\
dbPassword=cfluentdev|\
maxConnections=10;\
idleTime=300;\
maxConnectionTime=120;
Table 7-2 Database Authentication Source Properties
| Property | Description |
|---|---|
|
dbConnectionUrl |
Valid Java Database Connectivity (JDBC) connection URL. |
|
dbDriver |
JDBC driver class used to connect to the database. |
|
dbUser |
User ID of the schema owner for Oracle WSM Database. |
|
dbPassword |
Password for the user specified by dbUser. |
|
maxConnections |
Maximum database connections that are created. Default is 10. |
|
idleTime |
Ignore this parameter. It is obsolete. |
|
maxConnectionTime |
Ignore this parameter. It is obsolete. |
The properties file includes the following parameters for the LDAP server:
ui.authentication.provider=com.cfluent.accessprovider.ldap\ .BasicLdapAuthProvider
ui.authentication.provider.properties=\
ldapHost=dbserv1;\
ldapPort=389;\
ldapDN=ou=People,dc=corp,dc=confluentsw,dc=com;\
superUserRole=SystemAdmin;\
roleAttribute=groupmembership
Edit the parameters for the method you want to use, and comment out the parameters for the method you do not want to use.
Table 7-3 LDAP Server Authentication Source Properties
| Property | Description |
|---|---|
|
ldapHost |
Host name of the system where the LDAP server is running. |
|
ldapPort |
Port on which the LDAP server listens for requests |
|
ldapDN |
LDAP distinguished name (DN). |
|
superUserRole |
Group that is assigned the Super User role. |
|
roleAttribute |
Attribute for the user object that stores the groups (roles) to which the user belongs. |
|
superUser |
LDAP group that is assigned the Super User role in Oracle WSM. |
|
roleAttribute |
LDAP attribute name that identifies the user in the LDAP group. |
After you have made your changes to the ui-config-installer.properties file, you must use the wsmadmin deploy control command for the changes to take effect. For more information on deploying applications, see Oracle Web Services Manager Deployment Guide. Once you have installed Oracle WSM with the user group configuration settings you want to use, Oracle WSM uses the specified source whenever it requires user authentication.
Note:
Although you specify the LDAP group that is assigned the Super User role in Oracle WSM, you must manually add this group to the Oracle WSM Database.When you install Oracle WSM, the Oracle WSM Database is initialized with predefined users and groups that are assigned Oracle WSM roles. You can use these predefined groups and roles to test and stage an Oracle WSM installation, prior to deployment in a production environment.
Table 7-4 is a list of the default users, groups, and the roles to which they are assigned that are populated in the default installation.
Table 7-4 Default Users, Groups, and Oracle WSM Roles
| Oracle WSM Role | Group | Users |
|---|---|---|
|
Super User |
|
|
|
Domain Administrator |
|
|
|
Component Administrator |
|
|
|
Component Administrator |
|
|
|
Component Support |
|
|
|
Component Support |
|
|
|
Service Administrator |
|
|
|
Service Administrator |
|
|
|
Service Support |
|
|
|
Service Support |
|
|
By default, the password for all predefined users is oracle. User names with designations such as ca1.cs2.a indicate that a user is a member of more than one group, and each group is assigned a different role. For example, the user ca1.cs2.a is a member of ca1-grp, which is assigned a Component Administrator role. The same user is a member of cs2-grp, which is assigned a Component Support role. The user's permissions is the combination of the roles assigned to groups to which the user belongs.
If you are using an Oracle WSM Database for user authentication, Oracle WSM provides a command-line tool to create users and groups. After creating your users and groups, and assigning users to groups, you can then assign roles to your new groups using the WSMADMIN command-line tool.
The command-line tool can be found in the following location:
ORACLE_HOME/owsm/bin
The syntax of the wsmadmin command to manage Oracle WSM users and groups is the following:
wsmadmin manageUserGroups [option]
The available options are shown in Table 7-5:
Table 7-5 manageUserGRoups Command Options
| Option | Description |
|---|---|
|
addUser |
Adds a single user. |
|
addGroup |
Adds a single group. |
|
addUserGroup |
Adds an existing user to a group. |
|
deleteUser |
Deletes an existing user. |
|
deleteGroup |
Deletes an existing group. |
|
deleteUserGroup |
Deletes a user from a group. |
This command-line tool can be used for adding and deleting users and groups only from the sample database shipped with Oracle WSM. If you store users and groups in an LDAP server, you cannot use this tool to add or remove users and groups. You must use whatever tools are provided with your LDAP server to perform these operations.
When the command is executed, Oracle WSM checks the manageUserGroups.properties file that contains database connection information and information about the particular users and groups you want to add or delete.
The ORACLE_HOME/owsm/bin/manageUserGroups.properties file contains the following properties (Table 7-6) that you should set, based on the specific user or group operation you want to perform.
Table 7-6 manageUserGroups Properties File Settings
| Property | Value |
|---|---|
|
|
Specify the database URL to connect to the Oracle WSM Database. By default, this property is set to:
|
|
|
Specify the driver used to connect to the Oracle WSM Database. By default, this property is set to:
|
|
|
Specify the database administrator user name to log in to the Oracle WSM Database. By default, this property is set to:
|
|
|
Specify the corresponding password for the database user login name. By default, this property is set to:
|
|
|
Specify a user ID to uniquely identify a user. By default, this property is set to:
The |
|
|
Specify a login user name for the associated
The |
|
|
Specify a password for the associated login user name and
The |
|
|
Specify the e-mail address to be associated with a specific user. By default, this property is set to:
The |
|
|
Specify a group ID to uniquely identify a group. By default, this property is set to:
The |
|
|
Specify a descriptive label for the associated
The |
The db_password and user_password properties are specified when Oracle Web Services Manager is installed. The values are obfuscated and the manageUserGroups.properties file is populated with these obfuscated values. The user_password property is entered in the manageUserGroups.properties file as unencrypted text. Once the Oracle WSM Database is updated with the user information, this sensitive information should be deleted from the file.
Each time you want to perform an operation to add or remove users or groups, or add or delete users in groups, specify a new set of entries in the manageUserGroups.properties file. Then run the wsmadmin manageUserGroups command with the appropriate command-line option. For more information on the wsmadmin command, see Oracle Web Services Manager Deployment Guide.
