To secure a resource in a WebLogic Server domain, you create a policy and an optional role. A resource is an entity (such as a Web Service or a server instance) or an action (such as a method in a Web Service or the act of shutting down a server instance). A policy specifies which users, groups, or roles can access the resource under a set of conditions. A security role, like a security group, grants an identity to a user. Unlike a group, however, membership in a role can be based on a set of conditions that are evaluated at runtime. For a list of all resource types, see Resource Types You Can Secure with Policies.
For most types of WebLogic resources, you use the Administration Console to define the security policies and roles that restrict access. However, for Web application and EJB resources, you can also use deployment descriptors. See Manage security for Web applications and EJBs.
To use the Administration Console to secure WebLogic resource: