Managing WebLogic Integration Solutions
User Management
This section provides the information you need to use the User Management module of the WebLogic Integration Administration Console. This module allows you to manage the users, groups, and roles defined in the default security realm.
Note: You must be logged in as a member of the Administrators or IntegrationAdministrators group to add, delete, or modify a user, group, or role. See Default Groups, Roles, and Security Policies.
The following topics are provided:
About WebLogic Integration Users, Groups, and Roles
Users are entities that can be authenticated. Each user is assigned a unique identity within the realm. To make it easier to administer a large number of users, users can be organized into named groups. Groups can in turn be assigned membership in other groups.
Like other components of the platform, WebLogic Integration supports role-based authorization. Although the specific users that require access to the components that make up your WebLogic Integration application may change depending upon the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.
In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to the following resources can be configured from the WebLogic Integration Administration Console:
Once the roles required for access are set, the administrator can map users or groups to the roles as required.
Unlike membership in a group, which is directly assigned, membership in a security role is dynamically calculated based on the set of conditions that define the role statement. Each condition specifies user names, group names, or time of day. Conditions are joined by conjunction (and) or disjunction (or) commands. When a principal (user) is "in" a role based on the evaluation of the role statement, the access permissions of the role are conferred on the principal.
A set of default roles are defined for WebLogic Integration system management. Additional roles can be created to control access to implementation-specific resources. The roles created using the WebLogic Integration Administration Console are created as WebLogic Server global roles.
Note: The following sections provide information specific to WebLogic Integration. To learn more about protecting resources in a platform-based application, see Introducing WebLogic Platform 8.1 Security.
Default Groups, Roles, and Security Policies
Any domain that supports WebLogic Integration includes a set of default WebLogic Integration roles and groups. Default security policies define the roles authorized to access specific WebLogic Integration resources.
Default Roles
The following table lists the default WebLogic Integration roles. A brief description and initial condition statement associated with each is provided. To learn more, see Default Security Policies.
Although you can update the role statement associated with a default role, you cannot delete these roles.
Note: In addition to the default WebLogic Integration roles, there are also a number of default WebLogic Server roles. See "Default Global Roles" in "Security Roles" at the following URL:
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/secroles.html
Default Role
|
Description
|
Initial Role Statement
|
IntegrationAdmin
|
The WebLogic Integration administrator role. This role has full privileges to all servers in the cluster. This role can create additional roles using the WebLogic Integration Administration Console.
|
Groups:(IntegrationAdministrators,Administrators)
|
IntegrationOperator
|
The WebLogic Integration operator role. This role has nearly all the privileges of the IntegrationAdministrator role. For example, a user in the IntegrationOperator role cannot configure certain security properties, but can otherwise modify resources. See Default Security Policies for details.
|
Groups:(IntegrationOperators,Operators)
|
IntegrationMonitor
|
The WebLogic Integration monitor role. This role has read-only access to the WebLogic Integration Administration Console.
|
Groups:(IntegrationMonitors,Monitors)
|
IntegrationUser
|
The default WebLogic Integration user role. When first created, all users are assigned to the IntegrationUser role.
|
Groups:(IntegrationUsers)
|
IntegrationDeployer
|
The WebLogic Integration deployer role. This role has full privileges to all servers in the cluster. This role can create additional roles using the WebLogic Integration Administration Console.
|
Groups:(IntegrationDeployers)
|
Default Groups
The following table lists the default groups:
Default Role
|
Description
|
IntegrationAdministrators
|
The WebLogic Integration administrator group. This group is assigned to the role IntegrationAdmin and all members inherit the that role.
|
IntegrationUsers
|
The WebLogic Integration user group. This group is assigned to the role IntegrationUser and all members inherit the that role.
|
IntegrationMonitors
|
The WebLogic Integration monitor group. This group is assigned to the role IntegrationMonitor and all members inherit the that role.
|
IntegrationOperators
|
The WebLogic Integration operator group. This group is assigned to the role IntegrationOperator and all members inherit the that role.
|
Default Security Policies
The following table summarizes the actions the IntegrationMonitor, IntegrationOpertator, and IntegrationAdmin, and IntegrationUser roles can execute:
Resource
|
Action
|
IntegrationMonitor
|
IntegrationOperator
|
IntegrationAdmin
|
IntegrationUser
|
Servers in a Cluster
|
Start Stop
|
|
|
|
|
Processes
|
Configure versions, tracking, and reporting data policies
|
|
|
|
|
Configure Security
|
|
|
|
|
Terminate Suspend Resume Unfreeze
|
|
|
|
|
Invoke
|
Configured by the administrator. Until policies are defined, the default is everyone.
|
Monitor
|
|
|
|
|
Dynamic Control Selectors
|
Configure
|
|
|
|
|
View
|
|
|
|
|
Worklist Tasks
|
Modify Reassign Complete Cancel Claim Delete
|
|
|
|
|
Configure Security
|
|
|
|
|
View
|
|
|
|
|
Message Broker Channels
|
Subscribe Publish
|
Configured by the administrator. Until policies are defined, the default is everyone.
|
Reset counts
|
|
|
|
|
Configure security
|
|
|
|
|
View
|
|
|
|
|
Event Generators
|
Create Delete Modify Suspend/Resume
|
|
|
|
|
View
|
|
|
|
|
Users, Groups, and Roles
|
Create Delete Modify
|
|
|
|
|
View
|
|
|
|
|
Business Calendars
|
Create Delete Modify
|
|
|
|
|
Manage user and group mappings
|
|
|
|
|
View
|
|
|
|
|
Application Integration
|
Configure connection parameters and environment variables
|
|
|
|
|
Configure security
|
|
|
|
|
Monitor
|
|
|
|
|
Trading Partner and Service Profiles
|
Create Delete Modify
|
|
|
|
|
View
|
|
|
|
|
Trading Partner Management Server
|
Configure
|
|
|
|
|
View
|
|
|
|
|
System
|
Configure the reporting data and purge policies, or manually kick off the purge process
|
|
|
|
|
Manage password aliases
|
|
|
|
|
View repository size
|
|
|
|
|
Security Provider Requirements for User Management
The ability to define users and groups, and to configure security for WebLogic Integration resources, is dependent on the availability of an authenticator that implements the following MBeans:
UserEditor
GroupEditor
GroupMemberLister
MemberGroupLister
If there is no authenticator that implements all the above MBeans, all functionality in the WebLogic Integration Administration Console related to configuring users or groups, or to granting specific privileges to users or groups, is disabled.
As described in Introducing WebLogic Platform 8.1 Security (http://download.oracle.com/docs/cd/E13196_01/platform/docs81/secintro/secure.html), it is possible to run more than one security provider at a time. If multiple authenticators are running, and more than one authenticator implements the MBeans required for WebLogic Integration administration (UserEditor
, GroupEditor
, GroupMemberLister
, and MemberGroupLister
), there is currently no mechanism for specifying the which provider is to be used by the WebLogic Integration Administration Console. Due to this limitation, we recommended that you run a single authenticator that meets the requirements.
To learn more about WebLogic Server security realms and security providers, see "Security Realms" in Introduction to WebLogic Security, at the following URL:
http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secintro/realm_chap.html
Overview of the User Management Module
The following table lists the pages you can access from the User Management module. The tasks and topics associated with each are provided:
Page
|
Associated Tasks
|
Topics
|
Users
|
View and Edit Users
|
View a list of users. User name, email, group membership, and associated business calendar are displayed.
|
Listing and Locating Users
|
Filter the list by user name or group membership. Use ? to match any single character or * to match zero or more characters.
|
Delete one or more users.
|
Deleting Users, Groups, or Roles
|
Add New User
|
Add a user by assigning a unique name and password. Optionally, assign a description, email address, group membership, and business calendar.
|
Adding a User
|
View User Details
|
View user properties.
|
Viewing and Changing User Properties
|
Edit User Details
|
Change user properties. Add a description, assign a calendar, assign or update the user's email address, update the password, or assign the user to one or more groups.
|
Viewing and Changing User Properties
|
Groups
|
View and Edit Groups
|
View a list of groups. Group name, description and group membership are displayed.
|
Listing and Locating Groups
|
Filter the list by group name. Use ? to match any single character or * to match zero or more characters.
|
Delete one or more groups.
|
Deleting Users, Groups, or Roles
|
Add New Group
|
Add a group by assigning a unique name. Optionally assign a description or assign the group to one or more other groups.
|
Adding a Group
|
View Group Details
|
View group properties.
|
Viewing and Changing Group Properties
|
Edit Group Details
|
Change group properties. Add a description, or update the group membership.
|
Viewing and Changing Group Properties
|
Roles
|
View and Edit Roles
|
View a list of roles. Role name is displayed.
|
Listing and Locating Roles
|
Filter the list by role name. Use ? to match any single character or * to match zero or more characters.
|
Delete one or more roles.
|
Deleting Users, Groups, or Roles
|
Add New Role
|
Add a role by assigning a unique role name and defining the conditions that constitute the role statement.
|
Adding a Role
|
View Role Conditions
|
View or change role conditions. Add, delete, or reorder conditions.
|
Viewing and Setting Role Conditions
|
Add Role Conditions
|
Define a condition to be added.
|
Constructing a Role Statement
|
Sort Role Conditions
|
Change the order of the conditions in the list.
|
Constructing a Role Statement
|
Edit Role Conditions Command
|
Change the command that joins conditions.
|
Constructing a Role Statement
|
Adding a User
The Add New User page allows you to create a new user.
To add a user:
- From the home page, select the User Management module.
- From the left panel, select Create New to display the Add New User page.
- In the User Name field, enter a unique name.
Note: The name must be unique across users and groups. That is, you cannot create a user that has the same name as a group.
- In the Description field, enter a description for the user (optional).
- From the Calendar drop-down list, select a business calendar for the user (optional).
- In the E-mail field, enter the email address for the user (optional).
- In the Password field, enter the password.
Note: The password must be at least 8 characters long.
- In the Confirm Password field, enter the password again.
- Assign the user to one or more groups as follows:
- From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
Note: By default, the IntegrationUsers group appears on the Current Groups list. Remove this entry if the user should not be a member of IntegrationUsers.
- Click the
icon to move the selected groups to the Current Groups list.
- To create the user, click Add User.
The View and Edit Users page is displayed. The new user is included in the list. (You may need to page forward to see the new user.)
Note: If there is an error, the Add New User page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
- To clear entries, click Reset.
- To disregard the changes and return to the View and Edit Users page, click Cancel.
Adding a Group
The Add New Group page allows you to create a new group.
To add a group:
- From the home page, select the User Management module.
- From the left panel, select Groups.
- From the left panel, select Create New to display the Add New Group page.
- In the Group Name field, enter a unique name.
Note: The name must be unique across users and groups. That is, you cannot create a group that has the same name as a user.
- In the Description field, enter a description for the group (optional).
- To make this group a member of one or more other groups, do the following:
- From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
- Click the
icon to move the selected groups to the Current Groups list.
Note: To make another group a member of this group, you must update the membership assignments for that group. See Viewing and Changing Group Properties.
- To create the group, click Add Group.
The View and Edit Groups page is displayed. The new group is included in the list. (You may need to page forward to see the new group.)
Note: If there is an error, the Add New Group page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
- To disregard the changes and return to the View and Edit Groups page, click Cancel.
Adding a Role
The Add New Role page allows you to create a new role.
To add a role:
- From the home page, select the User Management module.
- From the left panel, select Roles.
- From the left panel, select Create New to display the Add New Role page.
- In the Role Name field, enter a unique name.
The role is created and the View Role Conditions page for the role is displayed.
Note: Each change to the role statement (adding or deleting conditions, moving the position of a condition in the list, or updating a joining command) becomes effective when it is successfully submitted.
Constructing a Role Statement
You construct a role statement by adding conditions. See Adding Conditions to a Role Statement. Each condition is joined to the previous condition by a conjunction (and) or disjunction (or) command as shown in the following figure:
After you have added conditions to the statement, you can update the joining commands, move the position of a condition, or delete conditions. See Modifying the Role Statement.
Adding Conditions to a Role Statement
If you are logged in with sufficient privileges, you can add conditions from the View Role Conditions page. The View Role Conditions page is displayed when you create a new role, or when you select a role from the View and Edit Roles list. See Listing and Locating Roles.
To add a Groups condition:
- On the View Role Conditions page, click Add Role Condition to display the Add Role Conditions page.
- From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
- Click the
icon to move the selected groups to the Current Groups list.
- Select the command. This joins the condition to the previous condition in the statement. If this is the first condition, the command setting is ignored.
The condition is added to the role statement.
To add a Users condition:
- On the View Role Conditions page, click Add Role Condition to display the Add Role Conditions page.
- From the Available Users list, select the required users. (To select multiple users, press and hold the Ctrl key as you click each additional user.)
- Click the
icon to move the selected users to the Current Users list.
- Select the command. This joins the condition to the previous condition in the statement. If this is the first condition, the command is ignored.
The condition is added to the role statement.
To add an Hours condition:
- On the View Role Conditions page, click Add Role Condition to display the Add Role Conditions page.
- Use the From drop-down lists to specify the start time.
- Use the To drop-down lists to specify the end time.
- Select the command. This joins the condition to the previous condition in the statement. If this is the first condition, the command is ignored.
The condition is added to the role statement.
Modifying the Role Statement
If you are logged in with sufficient privileges, you can update the joining command, move the position of the conditions, or delete conditions from the View Role Conditions page.
To update the joining command:
- On the View Role Conditions page, click Edit Role Condition Commands.
- Make selections from the Command drop-down lists as required.
To sort the role conditions:
- On the View Role Conditions page, click Sort Role conditions.
- Move the position of a condition by clicking the up or down arrow
to the right of the condition.
To delete role conditions:
- On the View Role Conditions page, click the check box to the left of the condition to select it.
Listing and Locating Users
The View and Edit Users page lists the users defined in the default security realm.
To list and locate users:
- From the home page, select the User Management module to display the View and Edit Users page.
- To locate a specific user, do one of the following:
- Filter by user name. Enter the search target (use
?
to match any single character or *
to match zero or more characters.), then click User Name. The users matching the search criteria are displayed.
- Filter by group name. Enter the search target (use
?
to match any single character or *
to match zero or more characters.), then click Group Name. The users assigned to groups matching the search criteria are displayed.
- Resort the list. Ascending
and descending
arrow buttons indicate sortable columns. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower left corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next
, previous
, first
, or last
page.
Listing and Locating Groups
The View and Edit Groups page lists the groups defined in the default security realm.
To list and locate groups:
- Select the User Management module from the home page.
- Select Groups from the left panel to display the View and Edit Groups page.
- To locate a specific group, do one of the following:
- Filter by group name. Enter the search target, then click Group Name. The groups matching the search criteria are displayed.
- Resort the list. Ascending
and descending
arrow buttons indicate sortable columns. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower left corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next
, previous
, first
, or last
page.
Listing and Locating Roles
The View and Edit Roles page lists the roles defined in the default security realm.
To list and locate roles:
- From the home page, select the User Management module.
- From the left panel, select Roles to display the View and Edit Roles page.
- To locate a specific role, do one of the following:
- Filter by role name. Enter the search target, then click Role Name. The roles matching the search criteria are displayed.
- Resort the list. Ascending
and descending
arrow buttons indicate sortable columns. Click the button to change the sort order.
- Scroll through the pages. Use the controls in the lower left corner. Go to a page by selecting the page number or by using the arrow buttons to go to the next
, previous
, first
, or last
page.
Viewing and Changing User Properties
The View User Details page displays the user properties. If you are logged in with sufficient privileges, you can access the Edit User Details page to make changes:
To view user properties:
- Click the user name to display the View User Details page.
The user name, description, calendar, e-mail, and group membership are displayed.
To change user properties:
- On the View User Details page, click Edit User.
- In the Description field, enter or update the description for the user (optional).
- From the User Calendar drop-down list, do one of the following (optional):
- Select a business calendar for the user.
- Select No Calendar.
- In the Current Password field, enter the current password.
- In the New Password field, enter the new password.
Note: The password must be at least 8 characters long.
- In the Confirm Password field, enter the new password again.
- Add or remove group assignments as follows:
To add groups:
a. From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the
icon to move the selected groups to the Current Groups list.
To remove groups:
a. From the Current Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the
icon to move the selected groups to the Available Groups list.
- To update the user, click Submit.
The View and Edit Users page is displayed.
Note: If there is an error, the Edit User Details page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
- To reset to the last saved values, click Reset.
- To disregard the changes and return to the View and Edit Users page, click Cancel.
Viewing and Changing Group Properties
The View Group Details page displays group properties. If you are logged in with sufficient privileges, you can access the Edit Group Details page to make changes.
To view group properties:
- Click the group name to display the View Group Details page.
The following table summarizes the information displayed:
Property
|
Description
|
Group Name
|
Name assigned to the group.
|
Group Membership
|
Groups that this group is a member of. Each name is a link to the View Group Details page for the group.
|
Member Groups
|
Groups that are members of this group. Each name is a link to the View Group Details page for the group.
|
Member Users
|
Users that are members of this group.Each name is a link to the View User Details page for the user.
|
To change group properties:
- On the View Group Details page, click Edit Group.
- In the Description field, enter or update the description for the user (optional).
- Add or remove group membership assignments as follows:
To add groups:
a. From the Available Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the
icon to move the selected groups to the Current Groups list.
To remove groups:
a. From the Current Groups list, select the required groups. (To select multiple groups, press and hold the Ctrl key as you click each additional group.)
b. Click the
icon to move the selected groups to the Available Groups list.
- To update the group, click Submit.
The View and Edit Groups page is displayed.
Note: If there is an error, the Edit Group Details page is redisplayed. A message indicating the problem is displayed above the input requiring correction.
- To reset to the last saved values, click Reset.
- To disregard the changes and return to the View and Edit Groups page, click Cancel.
Viewing and Setting Role Conditions
The View Role Conditions page displays the role statement. If you are logged in with sufficient privileges, you can access the Edit Role Details page to make changes.
To view and edit role conditions:
- Click the role name to display the View Role Conditions page.
The role name and role statement are displayed.
Deleting Users, Groups, or Roles
You can delete users, groups, or roles from the respective View and Edit page.
To delete users:
- Click the check box to the left of the users to be deleted to select them.
- Click Remove Selected Users.
To delete groups:
- Click the check box to the left of the groups to be deleted to select them.
- Click Remove Selected Groups.
To delete roles:
- Click the check box to the left of the roles to be deleted to select them.
- Click Remove Selected Roles.