Oracle® Communications Services Gatekeeper System Administrator's Guide Release 5.0 Part Number E16623-02 |
|
|
View PDF |
This chapter describes how to set up and manage administrative users of Oracle Communications Services Gatekeeper.
Management of Services Gatekeeper is performed by administrative users. There are a set of management users, identified by their user type. Each management user is also assigned a user level.
Table 4-1 provides an overview of the operations for managing management users.
Table 4-1 Operations Associated with Management Tasks
To... | Use |
---|---|
Create an administrative user |
|
Change password |
|
Delete an administrative user |
|
Get user level |
|
List administrative users |
Services Gatekeeper classifies its users as either Traffic users or Management users.
Traffic users are users (application instances) who use the application-facing interfaces to send traffic.
Management users are users who have access to and can perform management and administration functions.
Traffic users cannot login to the Administration Console or perform any management operations.
During installation, default groups are created in the WebLogic Server Embedded LDAP server. Table 4-2 lists the names of the default user groups, their membership criteria, and classification of user roles.
Table 4-2 User Groups and Privileges
Group Name | Membership and Priviliges | Role |
---|---|---|
Traffic User |
All application instances belong to this group.
|
TrafficUser |
OamUser |
Management users who are of OAM type
|
OamUser |
PrmUser |
Management users who are of PRM type
|
PrmUser |
When an Application Instance sends a Simple Object Access Protocol (SOAP) request to the application-facing interfaces, it is authenticated by the WLNG Application Authenticator; upon successful authentication, it adds the WLNGTrafficUsers group to the user principals, in addition to the service provider ID, application ID, service provider group ID, and application group ID.
When Management users log in successfully, they are added to the oamUser group.
Each group contains a user or set of users and is associated with a security role. Groups are generally static; they do not change at run time.
A basic role condition can include users or user groups in a particular security role. For example: set Admin Role to all users in Administrators group.
Roles are evaluated at run time by the Role Mapping Provider by checking the authenticated subject.
A policy contains one or more conditions. For example, a simple policy can be Allow access if the user belongs to Admin Role.
Following are the predefined management user types:
Administrative users use the Administration Console or Java Management Extensions (JMX) to interact with Services Gatekeeper.
PRM operator users use the Partner Relationship Management (PRM) Operator Web Services interfaces to interact with Services Gatekeeper.
PRM service provider users use the PRM Service Provider Web Services interfaces to interact with Services Gatekeeper.
When creating a management user, the user is mapped to the Weblogic Server authentication provider WLNG Operation, Administration, and Maintenance (OAM) Authenticator.
Management users are assigned different user levels based on which JMX resources they will be able to access. Table 4-3 lists the access privileges associated with user levels on Services Gatekeeper and WebLogic Server.
Table 4-3 User Levels and Privileges
User Level | Access on Services Gatekeeper | Access on WebLogic Server |
---|---|---|
1000 |
Administration access to management functions |
Administration access:
|
666 |
Read-write access on management functions |
Deployer access:
|
333 |
Read-only access on management functions |
Monitor access:
|
0 |
No access to management functions; Assigned to PRM Service Provider users internally. |
Anonymous access: No access to the console |
At a more granular level, an administrator may want to give access to only a subset of management interfaces. This can be achieved by applying XACML policies.
Following is an outline of how to apply these policies to add more granular access control:
Add a new management user.
Create a user group.
Add the user to the user group
Add an XACML policy to assign role to the group
Add an XACML policy to the user group. It is possible to restrict access at a granular level; MBean, MBean attribute, or MBean operation level. See Understanding WebLogic Resource Security in Oracle WebLogic Server Securing WebLogic Resources Using Roles and Policies at
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13747/understdg.htm
for a detailed description of this process. The basic process includes:
Determine a special identifier, the resourceId, for each MBean.
Create an XACML policy for the new security role.
Specify one or more rule elements that define which users, groups, or roles belong to the new security role.
Attach this role to the MBean using the resourceId.
Managed object: Container Services−>ManagementUsers−>ManagementUsers
MBean: com.bea.wlcp.wlng.user.management.ManagementUserMBean
Following is a list of attributes and operations for configuration and maintenance.
Scope: Cluster
Adds a Services Gatekeeper administrative user.
Signature:
addUser(Username:String, Password: String, userLevel: int, type: int)
Table 4-4 describes these parameters.
Table 4-4 Parameters for addUser
Parameter | Description |
---|---|
Username |
User name |
Password |
Password |
UserLevel |
Defines the user level when administrating Oracle Communications Services Gatekeeper. See "User Level". |
Type |
Type of management user. Use:
See "User Types". |
Scope: Cluster
Changes the password for an existing Services Gatekeeper administrative user.
Signature:
changeUserPassword(UserName: String, OldPasswd: String, NewPasswd: String)
Table 4-5 describes these parameters.
Scope: Cluster
Deletes an Services Gatekeeper administrative user.
Signature:
deleteUser(UserName: String)
Table 4-6 describes this parameter.
Scope: Cluster
Gets the user level for a management user. See "User Level".
Signature:
getUserLevel(UserName: String)
Table 4-7 describes this parameter.
Scope: Cluster
Displays a list of all registered management users and their corresponding user levels. See "User Level".
listUsers(Type: int, Offset: int, Size: int)
Table 4-8 describes these parameters.
Table 4-8 Parameters for listUsers
Parameter | Description |
---|---|
Type |
Type of user. Use:
See "User Types". |
Offset |
Offset in the list. Starts with 0. |
Size |
Size of the list |
Managed object: Container Services−>ManagementUsers−>ManagementUserGroup
MBean: com.bea.wlcp.wlng.user.management.ManagementUserGroupMBean
Following is a list of attributes and operations for configuration and maintenance.
Scope: Cluster
Adds an Oracle Communications Services Gatekeeper administrative user to a user group.
Signature:
addUsertoGroup(Username:String, GroupName: String)
Table 4-9 describes these parameters.
Scope: Cluster
Creates a new user group.
Signature:
createUserGroup(GroupName: String, Description: String)
Table 4-10 describes these parameters.
Scope: Cluster
Lists all registered user groups.
Signature:
listGroups(Offset: int, Size: int)
Table 4-11 describes these parameters.
Scope: Cluster
Lists user based on user group.
Signature:
listUsers(GroupName: String, Offset: int, Size: int)
Table 4-12 describes these parameters.