A scoped role is a
security role that applies to a specific instance of a WebLogic resource
deployed in a security realm (such as a method on an EJB or a branch of
a JNDI tree).
To create a scoped role for a WebLogic resource:
-
Access the
WebLogic resource for which you want to create a scoped security role.
For instructions on accessing a specific resource, choose from the
following list and return to this task as instructed.
Note: If you have already navigated to the resource
in the Administration Console and are accessing this help page from
the Scoped Roles table, you can skip to step 2.
-
On the
Scoped Roles page for the selected resource, click
New to display the Create Role page.
-
In the
Name field, enter a name for the role.
Note: Do
not use blank spaces, commas, hyphens, or any characters in the
following comma-separated list: \t, < >, #, |, &, ~, ?, (
), { }. Security role names are case sensitive. All security role
names are singular and the first letter is capitalized, according to
the BEA convention. The proper syntax for a security role name is as
defined for an Nmtoken
in the Extensible Markup Language (XML)
Recommendation
Warning: If you
create a scoped role with the same name as a global role, the scoped
role takes precedence over the global role.
-
Click
OK to save your changes and display the role
name in the Scoped Roles table.
-
In the
Scoped Roles table select the new role to display the Role Conditions
page.
-
In the Role Conditions section click Add Conditions to
display the Edit Roles page with the prompt: Choose the
predicate you wish to use as your new condition
-
In the
Predicate List field select a predicate (condition).
BEA recommends that you create expressions using the
Group condition where possible. When a group
is used to create a security role, the security role can be granted
to all members of the group (that is, multiple users)
For more information, see Components of a Security Role: Role Conditions,
Expressions, and Role Statements
-
The next
steps depend on what condition was chosen.
- If you selected Group or
User, click Next ,
enter a name in the argument field, and click
Add or Remove. The
names you add must match groups or users in the security realm
active for this WebLogic domain.
- If you selected a boolean predicate: the Server
is in development mode , Allow access to
everyone, or Deny access to
everyone, there are no arguments to enter. Click
Finish and go to step 10.
- If you selected a context predicate, such as
Context element's name equals a numeric
constant, click Next and enter
the context name and an appropriate value. It is your responsibility
to ensure that the context name and/or value exists at
runtime.
- If you selected a time-constrained predicate, such as
Access occurs between specified hours, click
Next and provide values for the
Edit Arguments fields.
-
Click Finish.
-
If desired,
repeat steps 7-9 to add more conditions. The system evaluates
conditions in the order they appear in the list.
-
If desired,
use the buttons in the Scoped Role Conditions section to modify the
expressions. Select the check box next to the expression or
expressions:
- Select And/Or between expressions to
switch the
and
/
or
statements.
- Click Move Up and Move
Down to change the ordering of the selected
expression(s).
- Click Combine or
Uncombine to merge or unmerge selected
expressions.
- Click Negate to make a condition
negative; for example, NOT Group Operators
excludes the Operators group from the role.
- Click Remove to delete the selected
expression.
-
When you
have the expressions arranged the way you want, click
Save.
-
To access your role in the Roles table, see List security
roles
After you finish
Create the security policy that determines access to this resource
and associate the policy with the new scoped role. For more information,
see Create security
policies