Administration Console Online Help

Before you begin

For URL patterns and EJBs this task is not valid if you are using the DDOnly security model. With this model, the resource ignores policies that you create in the Administration Console. See Manage security for Web applications and EJBs.

You can create a security policy that applies to a specific resource instance. If the instance contains other resources, the policy will apply to the included resource as well.

The policy of a narrower scope overrides policy of a broader scope. For example, if you create a security policy for an EAR and a policy for an EJB that is in the EAR, the EJB will be protected by its own policy and will ignore the policy for the EAR. For more information, see Manage security policies.

To create a security policy for a specific instance of a WebLogic resource:

Access the Edit Policies page for the resource instance:
Each resource instance provides its own Edit Policies page, and you can access it through any of several navigational paths.
- For JNDI resources or WorkContext resources, see Access policies for JNDI resources or Access policies for Work Context resources.
- For other resource instances, a recommended path is:
1. In the left pane of the Console, select Security Realms.
2. On the Summary of Security Realms page, select the name of the realm that you want to secure the resource (for example, myrealm).
3. On the Settings page, select Roles and Policies > Policies.
  The Roles and Policies: Policies page organizes all of the domain's resources and corresponding policies in a hierarchical tree control.
4. On the Roles and Policies: Policies page, in the Policies table, expand the nodes in the Names column until you find the resource instance that you want to secure.
  For information on finding resources in the Names column, see Column Display.
5. Do one of the following:
  - If the Policy column for the resource instance contains a View Policy link, click the link. The presence of this link means that a policy has already been created for the resource instance. You can modify this policy to suit your needs.
  - If the Policies table does not already list a URL pattern that you want to secure, create a new URL pattern by selecting the name of the URL Patterns sub-node.
  - Otherwise, click the radio button next to the resource instance. Then click Create Policy.
  The Administration Console displays the resource's Edit Policies page.
On the Edit Policies page, if you have configured more than one authorization provider for the realm, from the Authorization Providers list, select the provider you want to use to secure this resource.
On the Edit Policies page, click Add Conditions.
On the Choose a Predicate page, in the Predicate List, select a condition.
Oracle recommends that you use the Role condition where possible. Basing conditions on security roles enables you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.

For more information, see Security Policy Conditions.
The next steps depend on the condition that you chose:
- If you selected Role, click Next, enter the name of a security role in the argument field, and click Add. To create a compound condition, enter another role name and click Add. A compound condition evaluates as true if either predicate is true. For example, if you create a compound condition that specifies the Operator and Deployer roles, then the condition is true if the user is in either role. If the security roles that you enter do not already exist, create them after you finish creating policies.
- If you selected Group or User, click Next , enter a name in the argument field, and click Add. To create a compound condition, enter another user or group name and click Add. If the users or groups that you name do not already exist, create them after you finish creating policies.
- If you selected a boolean predicate (Server is in development mode , Allow access to everyone, or Deny access to everyone), there are no arguments to enter. Click Finish and go to step 10.
- If you selected a context predicate, such as Context element's name equals a numeric constant, click Next and enter the context name and an appropriate value. It is your responsibility to ensure that the context name and/or value exists at runtime.
- If you selected a time-constrained predicate, such as Access occurs between specified hours, click Next and provide values for the Edit Arguments fields.
Click Finish.
(Optional) Create additional conditions.
(Optional) The WebLogic Security Service evaluates conditions in the order they appear in the list. To change the order, select the check box next to a condition and click the Move Up or Move Down button.
(Optional) Use other buttons in the Policy Conditions section to specify relationships between the conditions:
- Select And/Or between expressions to switch the and / or statements.
- Click Combine or Uncombine to merge or unmerge selected expressions. See Combine Conditions.
- Click Negate to make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
Click Save.

Result

The policy appears on the Roles and Policies: Policies page in the Policies table.

After you finish

If your policies grant access to roles, specify users and groups for your roles. See Manage security roles.
In addition to security roles and policies, Web services can be secured by additional techniques. See Securing WebLogic Web Services.

Administration Console Online Help

Create policies for resource instances