This appendix describes role-based access and the privileges that users with the administrator, operator, and monitor roles are authorized with when accessing Oracle SOA Suite pages in Oracle Enterprise Manager Fusion Middleware Control.
This appendix includes the following section:
For information about how to create roles, add users to groups, and secure resources with roles and policies, see Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server and the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help. Click the Contents link in the Console Help to access procedures for performing the above-mentioned tasks.
Oracle Enterprise Manager Fusion Middleware Control supports the notion of role-based access. Users are mapped to different roles; each role corresponds to a different set of privileges. Using this mechanism, you can provision certain users with simple monitoring privileges (for instance view-only access), while administrators can be granted full access, including the ability to update configurations, restart servers, and so on.
The following roles have been defined for Oracle WebLogic Server in Oracle Enterprise Manager Fusion Middleware Control:
This role provides complete management and monitoring capabilities.
Operator
This role provides restricted management capabilities.
Monitor
This role provides read-only capabilities.
The actions that you can perform in Oracle Enterprise Manager Fusion Middleware Control are protected using Oracle WebLogic Server enterprise roles (Monitor, Operator, and Administrator). To obtain the appropriate behavior in Oracle Enterprise Manager Fusion Middleware Control, you must correctly map either the user or enterprise role to the Oracle SOA Suite application role.
The following mappings are typically valid:
Oracle WebLogic Server Monitor enterprise role to SOAMonitor application role
Oracle WebLogic Server Operator enterprise role to SOAOperator application role
Oracle WebLogic Server Administrator enterprise role to SOAAdmin application role
Mapping the Oracle WebLogic Server enterprise role to the Oracle SOA Suite application role provides users with the same access to all the users in the Oracle WebLogic Server enterprise role, while mapping a user to the SOA application role restricts access to a given user only.
Notes:
There is no default mapping of the SOAMonitor and SOAOperator roles to Oracle WebLogic Server groups or users. These roles must be manually mapped in Oracle Enterprise Manager Fusion Middleware Control. For instructions, see Section 5.2, "Mapping the SOAOperator and SOAMonitor Roles to Oracle WebLogic Server Groups or Users"
You need both the Oracle WebLogic Server enterprise role (for example, Oracle WebLogic Server Monitor) and the Oracle SOA Suite application role (for example, SOAMonitor) to use Oracle Enterprise Manager Fusion Middleware Control. If you have only one of these roles, Oracle Enterprise Manager Fusion Middleware Control does not work properly.
Exercise care when mapping Oracle SOA Suite application roles to Oracle WebLogic Server groups or users. For example, if a user with the Oracle WebLogic Server Monitor role is mapped to the SOAOperator role, they have deployment permissions on the back end of Oracle SOA Suite, but cannot deploy composites in Oracle Enterprise Manager Fusion Middleware Control. This is because Oracle Enterprise Manager Fusion Middleware Control identifies the user as having the Oracle WebLogic Server Monitor role, meaning that the deployment option is disabled.
Table C-1 lists the actions that users with the correct role mapping can perform.
Table C-1 Role Functionality Matrix
Actions | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|
View monitoring metrics |
Yes |
Yes |
Yes |
View configurations |
Yes |
Yes |
Yes |
Update configurations |
No |
No |
Yes |
Handle fault actions |
No |
Yes |
Yes |
Create instances using the Test Web Service page |
Yes Note: You can restrict the creation of composite test instances with OWSM policies. |
Yes |
Yes |
Start, stop, retire, and activate a composite |
No |
Yes |
Yes |
Execute unit tests |
No |
Yes |
Yes |
Attach and detach policies |
No |
No |
Yes |
View instances, the flow trace, and the audit trail |
Yes |
Yes |
Yes |
View audit trail payloads |
Yes |
Yes |
Yes |
Delete instances |
No |
No |
Yes |
Start and stop the SOA Infrastructure |
No |
Yes |
Yes |
Perform deployment options (deploy, undeploy, and redeploy) |
No |
Yes |
Yes |
Modify composite properties (enable payload and audit level) |
No |
Yes |
Yes |
Create partitions |
No |
No |
Yes |
Delete partitions |
No |
No |
Yes |
Bulk composite lifecycle management (start all, stop all, retire all, and activate all) |
No |
Yes |
Yes |
Note:
When you select the WebLogic Domain folder in the navigator, the WebLogic Domain menu is displayed at the top of the page. The Application Deployment option in this menu enables you to deploy Java EE applications if you have the administrator role. A user with the operator role cannot deploy Java EE applications.
Table C-2 lists the lowest role that a user must have to access this page and the privileges that a user with the correct role mapping has on this page.
Table C-2 SOA Infrastructure Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Deployed Composites tab
|
Monitor Operator Operator Operator Operator |
Yes No No No No |
Yes Yes Yes Yes Yes |
Yes Yes Yes Yes Yes |
View Instances tab
|
Monitor Administrator Administrator |
Yes No No |
Yes No No |
Yes Yes Yes |
View Faults and Rejected Messages tab
|
Monitor Operator Administrator |
Yes No No |
Yes Yes No |
Yes Yes Yes |
Table C-3 lists the lowest role that a user must have to access the options on this menu and the privileges that each role mapping has on the menu options.
Table C-3 SOA Infrastructure Menu
Menu Items | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
Control |
Operator |
No |
Yes |
Yes |
SOA Deployment |
Operator |
No |
Yes |
Yes |
Logs >Log Configuration |
Administrator |
No |
No |
Yes |
Other menu items |
Monitor |
Yes |
Yes |
Yes |
Table C-4 lists the lowest role that a user must have to access the options on this menu and the privileges that each role mapping has on the menu options.
Table C-5 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab
|
Monitor Operator Operator Operator Operator |
Yes Yes No No No |
Yes Yes Yes Yes Yes |
Yes Yes Yes Yes Yes |
View Instances tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View Faults tab
|
Monitor Operator Administrator |
Yes No No |
Yes Yes No |
Yes Yes Yes |
View Unit Test tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-6 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-6 BPEL Process Service Engine
Menu Items | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Statistics tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Deployed Components tab |
Monitor |
Yes |
Yes |
Yes |
Message Recovery tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Configuration (Properties page)
|
Monitor Administrator Administrator |
Yes No No |
Yes No No |
Yes Yes Yes |
Table C-7 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-7 Mediator Service Engine
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Statistics tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Deployed Components tab |
Monitor |
Yes |
Yes |
Yes |
View Configuration (Properties page) |
Monitor |
Yes |
Yes |
Yes |
Apply button |
Administrator |
No |
No |
Yes |
Table C-8 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-8 Human Workflow Service Engine
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Statistics tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Deployed Components tab |
Monitor |
Yes |
Yes |
Yes |
View Notification Management tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Configuration (Properties page)
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-9 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-9 Business Rules Service Engine
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab |
Monitor |
Yes |
Yes |
Yes |
View Deployed Components tab |
Monitor |
Yes |
Yes |
Yes |
Table C-10 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-10 BPEL Process Service Component Home Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-11 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-11 Mediator Service Component Home Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-12 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-12 Human Task Service Component Home Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View Administration tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-13 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-13 Decision Service Component Home Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Instances tab |
Monitor |
Yes |
Yes |
Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
Table C-14 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-15 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Audit Trail tab
|
Monitor Monitor |
Yes Yes |
Yes Yes |
Yes Yes |
View Flow Debug tab |
Monitor |
Yes |
Yes |
Yes |
View Sensors tab |
Monitor |
Yes |
Yes |
Yes |
View Fault Recovery tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
Table C-16 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View Faults tab
|
Monitor Administrator |
Yes No |
Yes No |
No Yes |
View Properties
|
Monitor Administrator Administrator |
Yes No No |
Yes No No |
Yes Yes Yes |
Table C-17 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-17 References Home Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Dashboard tab |
Monitor |
Yes |
Yes |
Yes |
View Policies tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View Faults tab
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View Properties
|
Monitor Administrator Administrator |
Yes No No |
Yes No No |
Yes Yes Yes |
Table C-18 lists the lowest role that a user must have to access these pages and the privileges that each role mapping has on these pages.
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View B2B Configuration page
|
Monitor Administrator |
Yes No |
Yes No |
Yes Yes |
View B2B Bindings page |
Monitor |
Yes |
Yes |
Yes |
Table C-19 lists the lowest role that a user must have to access this page and the privileges that each role mapping has on this page.
Table C-19 Business Events Page
Page Elements | Lowest Role for Accessing | With Monitor to SOAMonitor Mapping Set | With Operator to SOAOperator Mapping Set | With Administrator to SOAAdmin Mapping Set |
---|---|---|---|---|
View Events tab
|
Monitor Administrator Monitor |
Yes No Yes |
Yes No Yes |
Yes Yes Yes |
View Subscriptions tab
|
Monitor Administrator Administrator |
Yes No No |
Yes No No |
Yes Yes Yes |
View Faults tab
|
Monitor Operator |
Yes No |
Yes Yes |
Yes Yes |
Table C-20 lists the lowest role that a user must have to access this browser and the privileges that each role mapping has on this page.