Security Guide

Configuring Administrative Security

To give users access to administrative functions such as creating proxy services, you assign them to one of four security roles with pre-defined access privileges. A security role is an identity that can be dynamically conferred upon a user or group based on conditions that are evaluated at runtime. You cannot change the access privileges for the AquaLogic Service Bus administrative security roles, but you can change the conditions under which a user or group is in one of the roles.

The following sections describe administrative security for AquaLogic Service Bus:

For more information about security roles, see Users, Groups, and Security Roles, in Securing WebLogic Resources.

Administrative Security Roles and Privileges

Table 9-1 describes the AquaLogic Service Bus administrative security roles and summarizes their access privileges.

The AquaLogic Service Bus roles have permission to modify only AquaLogic Service Bus resources; they do not have permission to modify WebLogic Server or other resources on WebLogic Server. To give permission to modify WebLogic Server its other resources, add a user to one of the WebLogic Server security roles described in Table 9-2. In each AquaLogic Service Bus domain, make sure that you add at least one user to the Admin role.

Role-Based Access in AquaLogic Service Bus Console

Table 9-3 shows the actions that each AquaLogic Service Bus security role can perform in the AquaLogic Service Bus Console.

Permission to perform an action is indicated by a check mark () in the table. Note that there are no check marks in the Security Configuration section of this table because only the WebLogic Server Admin role has access to these functions.

Table 9-3 Role-Based Access in AquaLogic Service Bus Console

Console Mode	Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
OPERATIONS
Monitoring
Dashboard	View Statistics
	Reset Statistics
	View Alerts
	Delete Alerts
	View Alert History
	View Server Summary
Dashboard Settings	View Dashboard Settings
	Set Dashboard Settings
Configuration
Smart Search	Set Smart Search Settings
	View Smart Search Settings
Global Settings	Set Global Settings
	View Global Settings
Tracing	Set Tracing Settings
	View Tracing Settings
Reporting
Message Reports	View Message Reports
Purge Messages	Purge Messages
RESOURCE BROWSER
Service
Proxy Services	Create Proxy Service
	View Proxy Service
	Edit Proxy Service
	Delete Proxy Service
Business Services	Create Business Service
	View Business Service
	Edit Business Service
	Delete Business Service
Interface
WSDLs	Create WSDLs
	View WSDLs
	Edit WSDLs
	Delete WSDLs
XML Schemas	Create XML Schemas
	View XML Schemas
	Edit XML Schemas
	Delete XML Schemas
WS-Policies	Create WS-Policy
	View WS-Policy
	Edit WS-Policy
	Delete WS-Policy
Transformation
XQueries	Create XQuery
	View XQuery
	Edit XQuery
	Delete XQuery
XSLTs	Create XSLT
	View XSLT
	Edit XSLT
	Delete XSLT
MFLs	Create MFL
	View MFL
	Edit MFL
	Delete MFL
JARs	Create JARs
	View JARs
	Edit JARs
	Delete JARs
Security
Service Accounts	Create Service Account
	View Service Account
	Edit Service Account
	Delete Service Account
Proxy Service Providers	Create Proxy Service Provider
	View Proxy Service Provider
	Edit Proxy Service Provider
	Delete Proxy Service Provider
Notification
Alert Destinations	Create Alert Rule
	View Alert Rule
	Edit Alert Rule
	Delete Alert Rule
PROJECT EXPLORER
Projects	Create Project
	View Project
	Edit Project
	Delete Project
Folders	Create Folder
	View Folder
	Edit Folder
	Delete Folder
SECURITY CONFIGURATION
Users	Create User
	View User
	Edit User
	Delete User
Groups	Create Group
	View Group
	Edit Group
	Delete Group
Roles	Create Role
	View Role
	Edit Role
	Delete Role
Access Control	Create Policy
	View Policy
	Edit Policy
	Delete Policy
SYSTEM ADMINISTRATION
Import/Export
Import Resources	Import
Export Resources	Export
UDDI
UDDI Registries	Create
	View
	Edit
	Delete
Import from UDDI	Import
Auto-Import Status	Synchronize
	Detach
Publish to UDDI	Publish
Auto-Publish Status	Auto-Publish Status
	Publish
Global Resources
JNDI Providers	Create JNDI Providers
	View JNDI Providers
	Edit JNDI Providers
	Delete JNDI Providers
SMTP Servers	Create SMTP Servers
	View SMTP Servers
	Edit SMTP Servers
	Delete SMTP Servers
Customization
Find and Replace	Find Value
	Replace With
Create Customization File	Create File
Execute Customization File	Select File
	Select Items
	Execute File
CHANGE CENTER
Session Management	Edit Session
	View All Sessions
	View Changes
	Activate Changes
	Discard Changes
	Exit Session

Administrative Security Groups

To facilitate the process of assigning users to the pre-defined administrative roles, AquaLogic Service Bus also provides four corresponding security groups. While membership in a role is dynamic, membership in a group is static: an administrator places a user in a group and the user remains in the group until the administrator changes the assignment.

In the simplest scenario for configuring administrative security, you create a user, add the user to one of the four administrative groups, and the user is automatically always a member of the corresponding role with all of the pre-defined access privileges.

In a more complex scenario, you might create two of your own groups, MyAdministratorsEast and MyAdministratorsWest, and assign users appropriately. You configure the pre-defined IntegrationAdmin security role so that the MyAdministratorsWest group is in the role from 8am to 8pm EST, while the MyAdministratorsEast group is in the role from 8pm to 8am EST.

Table 9-4 describes the administrative groups that AquaLogic Service Bus provides. You can create your own groups in addition to these.

Configuring Administrative Security: Main Steps

You can create or modify users, groups, and roles when you are in or out of an AquaLogic Service Bus session. Any additions or modifications to this data take effect immediately and are available to all sessions. If you discard a session in which you added or modified the data, the security data is not discarded.

To configure administrative security: