This chapter describes how to set up and manage the Oracle Communications Services Gatekeeper administrative users.
Services Gatekeeper classifies its users as either Traffic users or Management users.
Traffic users are users (application instances) who use the application-facing interfaces to send traffic through Services Gatekeeper. Traffic users cannot login to the Administration Console or perform any management operations.
Management users are users who have access to and can perform management and administration functions. Management users are identified by their user type. Each management user is also assigned a user level.
The PRM Portals create these users when you create users, groups, apis, applications, and network service suppliers. Oracle recommends that you use either the PRM portals to create users for a Services Gatekeeper implementation, or the MBeans listed in this chapter but not both to avoid unintentionally invalidating users accounts.
The Services Gatekeeper installation process creates default user groups in the WebLogic Server Embedded LDAP server. Table 8-1 lists the names of the default user groups, their membership criteria, and classification of user roles.
Table 8-1 User Groups and Privileges
User Group Name | Membership and Privileges | Role |
---|---|---|
Traffic User |
All application instances belong to this group.
|
TrafficUser |
OamUser |
Management users who are of OAM type
|
OamUser |
PrmUser |
Management users who are of PRM type
|
PrmUser |
Each group contains a user or set of users and is associated with a security role. Groups are generally static; they do not change at run time. A basic role condition can include users or user groups in a particular security role. For example: set Admin Role to all users in Administrators group. A policy contains one or more conditions. For example, a simple policy can be Allow access if the user belongs to Admin Role.
Roles are evaluated at run time by the Role Mapping Provider by checking the authenticated subject.
In a Services Gatekeeper production environment, Services Gatekeeper handles traffic from application instances (traffic users). When an application instance sends a Simple Object Access Protocol (SOAP) request to the application-facing interfaces, the WebLogic network gatekeeper (WLNG) Application Authenticator authenticates the application instance. Upon successful authentication, the WLNG Application Authenticator adds the Traffic User group, the service provider ID, application ID, service provider group ID, and application group ID to the user principal (identity in the realm). That identity determines the access rights of the application instance in the system.
When management users log in successfully to a Services Gatekeeper Administration Console, they are added to the Oam User group with predefined access rights to the system.
Following are the predefined management user types:
Administrative users use the Administration Console or Java Management Extensions (JMX) to interact with Services Gatekeeper.
PRM operator users use the Partner Relationship Management (PRM) Operator web services interfaces to interact with Services Gatekeeper.
PRM service provider users use the PRM Service Provider web services interfaces to interact with Services Gatekeeper.
PRM Network Service Supplier users use the PRM Network Service Supplier Portal to create interfaces.
When creating a management user, the user is mapped to the Weblogic Server authentication provider WLNG Operation, Administration, and Maintenance (OAM) Authenticator.
Management users are assigned different user levels based on which JMX resources they will be able to access. Table 8-2 lists the access privileges associated with user levels on Services Gatekeeper and WebLogic Server.
Table 8-2 User Levels and Privileges
User Level | Access on Services Gatekeeper | Access on WebLogic Server |
---|---|---|
1000 |
Administration access to management functions |
Administration access:
|
666 |
read/write access on management functions |
Deployer access:
|
333 |
Read-only access on management functions |
Monitor access:
|
0 |
No access to management functions; Assigned to PRM Service Provider users internally. |
Anonymous access: No access to the console |
As a system administrator, you belong to a group of administrative users who manage Services Gatekeeper and its users. Table 8-3 provides an overview of the operations that administrative users employ to oversee the users of their Services Gatekeeper installation.
Table 8-3 Operations Associated with Management Tasks
To... | Use this Method in ManagementUserMBean |
---|---|
Create an administrative user |
addUser |
Change password |
changeUserPassword |
Delete an administrative user |
deleteUser |
Get user level |
getUserDescription |
List administrative users |
listUsers |
For details of these methods, see in the "All Classes" section of Services Gatekeeper OAM Java API Reference.
As an administrator you can restrict access to a subset of management interfaces by applying eXtensible Access Control Markup Language (XACML) policies.
To apply these policies to add more granular access control:
Add a new management user.
Create a user group.
Add the user to the user group.
Add an XACML policy to assign a role to the group.
Add an XACML policy to the user group. Restrict access at the desired level such as MBean, MBean attribute, or MBean operation level. See ”Understanding WebLogic Resource Security” in Oracle WebLogic Server Securing Resources using Roles and Policies for Oracle WebLogic Server for a detailed description of this process.
The basic process includes:
Determine a special identifier, the resourceId, for each MBean.
Create an XACML policy for the new security role.
Specify one or more rule elements that define which users, groups, or roles belong to the new security role.
Attach this role to the MBean using the resourceId.
You access the ManagementUserMBean and ManagementUserGroupMBean MBeans from the Administration Console (OCSG > AdminServer > Container Services > ManagementUsers).
For more information, see the entries for ManagementUserMBean and ManagementUserGroupMBean, in the "All Classes" section of Services Gatekeeper OAM Java API Reference.