4 Managing Users in Oracle API Manager

This chapter describes managing users in Oracle API Manager.

The following topics are covered:

• Managing Users

• Next Steps

4.1 Managing Users

API Manager users are managed using Fusion Middleware Control. An administrative user creates groups in Fusion Middleware Control, maps application roles to these groups, creates users, and then assigns users to groups.

Use this URL to log onto Fusion Middleware Control:

http://administration_server_host:administration_server_port/em

The Administration Server host and port number were in the URL on the Configuration Success screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7001.

Note:

The tasks in this section describe creating users and assigning roles using Fusion Middleware Control. You can also use an LDAP Authentication provider to manage users. See "Configuring LDAP Authentication Providers" in Administering Security for Oracle WebLogic Server for more information.

4.1.1 Creating an Edit Session

Before completing the rest of the tasks in this chapter, you may have to create an Edit Session and lock the session before you can create users and groups using Fusion Middleware Control.

See the online help for Fusion Middleware Control for more information about Edit Sessions.

To create an edit session:

1. From Fusion Middleware Control, click the Changes arrow, and then click Edit Sessions, as shown in the following figure:
   
   Description of the illustration edit-session.png
2. From the Edit Sessions dialog, click Create.
3. From the Create a New Edit Session dialog, enter a name for the session into the Name field, and then click Create.
4. Select the session you just created and click Switch Edit Session. If prompted, click Switch Edit Session on the dialog that appears.
   The edit session is now active.
5. To lock the session and edit the configuration, click the Changes arrow, and then click Lock and Edit.

You can now create users and groups, as described in the remaining tasks in this chapter.

When finished, complete the steps described in Create Groups for API Manager Roles.

4.1.2 Create Groups for API Manager Roles

Use Fusion Middleware Control to create groups that map to the API Manager roles.

See Understanding User Roles in Oracle API Manager for additional information about the API Manager user roles.

You must complete this task multiple times to create the following groups:

• API Admins

• API Consumers

• API Curators

• API Developers

You do not need to create groups for the following Service Bus groups, which are available OOTB:

• Administrators

• Deployers

• Monitors

To create a group:

1. Log in to Fusion Middleware Control as a user with administrator privileges.
2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
3. Click the Groups tab.
4. Click Create.
5. From the Create a New Group page, define the following properties for the groups listed above:
   • Name (must be unique)
   • Description
   • Provider
6. Click Create.
7. Repeat steps 4 through 6 to create the remaining groups.

When finished, complete the task described in Creating API Manager Users.

4.1.3 Creating API Manager Users

You create API Manager users with Fusion Middleware Control.

You should create at least one user for each of the following roles:

• API Admins

• API Consumers

• API Curators

• API Developers

• Deployers

• Monitors

Caution:

Do not use any of the following characters in user names: ; , + = \ (double back-slashes can be used; for example smith\\). Do not begin a user name with a pound sign (#) or double quotes ("). Creating a user with any of the preceding invalid characters can corrupt the WebLogic domain.

To create API Manager users:

1. Log in to Fusion Middleware Control as a user with administrator privileges.
2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page
3. Click the Users tab.
4. Above the Users table click Create.
5. In the Name field of the Create New User dialog enter the login ID of the user.
6. Optionally, in the Description field, enter a short description to help identify the user.
7. In the Provider drop-down list, select the authentication provider for the user.
8. In the Password field, enter a password for the user. The password must be 8 characters or more.
9. Re-enter the password for the user in the Confirm Password field.
10. Click Create to save your changes.
11. Repeat steps 4 through 10 to create the remaining users.

The user names appear in the User table.

When finished, complete the task described in Assigning Users to Groups.

4.1.4 Assigning Users to Groups

You add users to the appropriate groups to grant role permissions associated with that group. For example, assign a user to the API Curator group to grant that user permissions associated with the API Curator role.

You should create at least one user for each role, and then add users to the groups that correspond with their intended roles:

• API Admins

• API Consumers

• API Curators

• API Developers

• Deployers

• Monitors

To add API Manager users to groups:

1. Log in to Fusion Middleware Control as a user with administrator privileges.
2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
3. Click the Users tab.
4. In the Users table, click the name of the user you created in Creating API Manager Users.
5. From the Setting for User page, click the Groups tab.
6. Select the groups to which you want to add the user and then click the right arrow to add them to the Chosen list. As an example, an API Curator user should be added to the API Curators group.
7. Click Save , and then click the Users and Groups links, as shown in the following figure, to return to the Users and Groups page.
   
   Description of the illustration users_and_groups.png
8. Repeat steps 4 through 7 for each user you created in Creating API Manager Users.

When finished, complete the task described in Add Groups to the Monitors Parent Group

4.1.5 Add Groups to the Monitors Parent Group

All users accessing the Service Bus console must be a member of the Monitors group. The easiest way to assign these users to the Monitors group is to add their parent groups to the Monitors group.

You must add these groups to the Monitors group:

• API Curators

• API Developers

• Deployers

Note:

All users accessing the Service Bus Console must be added to the Monitors parent group or to a group that is a member of the Monitors parent group. Ensure that you have completed this task if you hare having trouble accessing the Service Bus Console with an appropriate user.

To add groups to the Monitors parent group:

1. Log in to Fusion Middleware Control as a user with administrator privileges.
2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
3. Click the Groups tab.
4. Click the group you want to add to Monitors. As an example, click API Curators.
5. Click the Membership tab.
6. Select the Monitors group from the Available list, and then click the Right Arrow (>) icon to move the Monitors group to the Chosen list.
7. Click Save, and then click the Users and Groups link to return to the Users and Groups page.
8. Repeat steps 4 though 7 for each of the remaining groups.

When finished, complete the task described in Assign Application Roles to Groups Using Fusion Middleware Control.

4.1.6 Assign Application Roles to Groups Using Fusion Middleware Control

After you have created groups that correspond with the roles in API Manager, you must assign application roles to these groups. After completing this task, any users assigned to the specified groups will be granted the applicable application role.

To assign application roles to groups:

1. Log in to Fusion Middleware Control as a user with administrative privileges.
2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Application Roles to display the Application Roles page.
3. Select Service_Bus_Console from the Application Stripe list, and then click the Search Application Roles icon.
4. Map the API Curator application role to the API Curator group:
   1. Select APICurator from the list of application roles, and then click Edit.
   2. From the Members region, click Add.
   3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
   4. Select the API Curators group, and then click OK to close the dialog.
   5. Click OK.
5. Map the Developer application role to the API Developer group:
   1. Select Developer from the list of application roles, and then click Edit.
   2. From the Members region, click Add.
   3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
   4. Select the API Developers group, and then click OK to close the dialog.
   5. Click OK.
6. Map the Deployer application role to the Deployers group:
   1. Select Deployer from the list of application roles, and then click Edit.
   2. From the Members region, click Add.
   3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
   4. Select the Deployers group, and then click OK to close the dialog.
   5. Click OK.
7. Map the Monitor application role to the Monitors group:
   1. Select Monitor from the list of application roles, and then click Edit.
   2. From the Members region, click Add.
   3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
   4. Select the Monitors group, and then click OK to close the dialog.
   5. Click OK.
8. Select API_Manager from the Application Stripe list, and then click the Search Application Roles icon.
9. Map the API Admin application role to the API Admin group:
   1. Select APIApplicationAdminsitrator from the list of application roles, and then click Edit.
   2. From the Members region, click Add.
   3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
   4. Select the API Admins group, and then click OK to close the dialog.
   5. Click OK.
10. Map the API Consumer application role to the API Consumer group:
    1. Select APIConsumer from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the API Consumers group, and then click OK to close the dialog.
    5. Click OK.

    You do not need to assign application roles to the Administrator Service Bus group. This is done OOTB.

When finished, complete the task described in Release the Edit Session.

4.1.7 Release the Edit Session

When you have completed managing API Manager users, you must release the edit session. If you do not release the edit session, you risk future configuration changes that conflict with those made in the current edit session.

To release the edit session, click the Changes arrow, and then select one of the following:

• Release Configuration: select if you have made no changes to the configuration other than those described in this chapter.

• Activate Changes: select if you have made other changes to the configuration.

4.2 Next Steps

See Using Oracle API Manager for information about curating APIs using Oracle Service Bus, discovering and using APIs from the API Manager Portal, and administering API Manager.