Authentication Hierarchy Service
After you connect WebLogic Server to one or more authentication providers (other than WebLogic Server's default LDAP authentication provider), you can surface a hierarchical tree view of that provider's groups in the WebLogic Administration Portal. A tree view of groups provides a convenient visual mode for changing group properties, finding users within groups, and adding users and groups to rules for Delegated Administration and Visitor Entitlements.
Use the Authentication Hierarchy Service page to build and configure a group hierarchy tree for any of the authentication providers connected to WebLogic Server that provide read access.
Note: Being able to see a hierarchy tree in the WebLogic Administration Portal is ultimately dependent on how the authentication provider is configured. If the provider does not allow at least read access by external tools (such as the WebLogic Administration Portal), you will not be able to see the tree representation of the groups. See View Security Provider Properties to find out how to tell if an authentication provider allows read access.
If you do not build a hierarchy tree for an authentication provider, or if the authentication provider does not allow read access to its groups, you can still use text entry fields in WebLogic Administration portal to enter the names of known users and groups.
Building a Group Hierarchy Tree for an Authentication Provider
Configuring a Group Hierarchy Tree
The following table describes the configuration options available for group hierarchy trees.
| Build Group Hierarchy Trees | Automatic - On server startup or application redeployment, group hierarchy trees are automatically built for the authentication providers listed in the "Authentication Providers to Build" list. Manual - Group hierarchy trees for the authentication providers listed in the "Authentication Providers to Build" list are built when you click "Update & Build Tree," letting you determine when the processing overhead for tree building occurs. A change to this value requires that you redeploy your enterprise application or restart the server. |
| Sweep Interval | Sweep Interval works with the Time to Live setting to determine how often the hierarchy trees are refreshed to show changes to users and groups. The Sweep Interval determines how often (in seconds) the hierarchy trees are checked to see if they have expired (their Time to Live has ended). If a sweep finds the trees expired, the trees are cleared from memory and are not rebuilt until you try to access them in one of the WebLogic Administration Portal tools. More frequent refreshing of trees can impact performance, but changes to users and groups are picked up more frequently. Set the Sweep Interval to the same value as Time to Live if you want the trees to be cleared from memory as soon as they expire. A change to this value requires that you redeploy your enterprise application or restart the server. |
| Maximum Number of Groups | Determines how many total groups for all authentication providers will be built and added to memory. |
| Time to Live | Time to Live works with the Sweep Interval to determine how often the hierarchy trees are refreshed to show changes to users and groups. The Time to Live determines how often (in seconds) the trees should be cleared from memory (expire). However, the expired trees are not cleared from memory until the trees are swept (determined by the Sweep Interval). More frequent refreshing of trees can impact performance, but changes to users and groups are picked up more frequently. Set Time to Live to the same value as the Sweep Interval if you want the trees to be cleared from memory as soon as they expire. |
| Locale Language, Locale Country, and Locale Variant | The Locale settings determine how the lists of users and groups are sorted. A change to any of these values requires that you redeploy your enterprise application or restart the server. |
| Authentication Providers to Build | Shows the authentication providers for which hierarchy trees are built. When the trees are built is determined by the setting in the "Build Group Hierarchy Trees" field. |
| Provider to Add to Build List | To build a hierarchy tree for an available authentication provider in the WebLogic Administration Portal, enter the exact, case-sensitive name for the provider and click "Update & Build Tree." To see the available providers, select the Security Providers tool and expand the Authentication Providers node in the resource tree. Authentication providers must allow read access for a hierarchy tree to be built. |
| Provider to Remove from Build List | To remove a hierarchy tree in the WebLogic Administration Portal for an authentication provider, enter the exact, case-sensitive name for the provider and click "Update & Build Tree." Providers available for removal are listed in the "Authentication Providers to Build" list. After you remove hierarchy tree building for a provider, you can still use a text entry field in the WebLogic Administration Portal tools to select users and groups for that provider. |
Changes to Authentication Provider Settings
If you make changes to any authentication provider configuration in the WebLogic Server Administration Console (as opposed to changes you make on the Authentication Hierarchy Service page in the WebLogic Administration Console), be sure to restart the server. Restarting the server prevents exceptions in the WebLogic Administration Portal.
Related Topics: