3 Managing Users and User Groups

This chapter describes how to set up and manage the Oracle Communications Services Gatekeeper administrative users.

About Services Gatekeeper Users and User Groups

Services Gatekeeper classifies its users as either Traffic users or Management users.

  • Traffic users are users (application instances) who use the application-facing interfaces to send traffic through Services Gatekeeper. Traffic users cannot login to the Administration Console or perform any management operations.

  • Management users are users who have access to and can perform management and administration functions. Management users are identified by their user type. Each management user is also assigned a user level.

The PRM Portals create these users when you create users, groups, apis, applications, and network service suppliers. Oracle recommends that you use either the PRM portals to create users for a Services Gatekeeper implementation, or the MBeans listed in this chapter but not both to avoid unintentionally invalidating users accounts.

The Services Gatekeeper installation process creates default user groups in the WebLogic Server Embedded LDAP server. Table 3-1 lists the names of the default user groups, their membership criteria, and classification of user roles.

Table 3-1 User Groups and Privileges

User Group Name Membership and Privileges Role

Traffic User

All application instances belong to this group.

  • They should be able to just send traffic and should not have access to management functions.

  • They should not have access to WebLogic Server or Services Gatekeeper MBeans.

  • They should not be able to log into the console and perform WebLogic Server administration operations.

TrafficUser

OamUser

Management users who are of OAM type

  • They have access to the console based on their level.

  • They should not be able to send traffic.

OamUser

PrmUser

Management users who are of PRM type

  • They should not have access to the console.

  • They should perform their management operations using the PRM interfaces.

PrmUser

About User and Group Roles in the Production Environment

Each group contains a user or set of users and is associated with a security role. Groups are generally static; they do not change at run time. A basic role condition can include users or user groups in a particular security role. For example: set Admin Role to all users in Administrators group. A policy contains one or more conditions. For example, a simple policy can be Allow access if the user belongs to Admin Role.

Roles are evaluated at run time by the Role Mapping Provider by checking the authenticated subject.

In a Services Gatekeeper production environment, Services Gatekeeper handles traffic from application instances (traffic users). When an application instance sends a Simple Object Access Protocol (SOAP) request to the application-facing interfaces, the WebLogic network gatekeeper (WLNG) Application Authenticator authenticates the application instance. Upon successful authentication, the WLNG Application Authenticator adds the Traffic User group, the service provider ID, application ID, service provider group ID, and application group ID to the user principal (identity in the realm). That identity determines the access rights of the application instance in the system.

When management users log in successfully to a Services Gatekeeper Administration Console, they are added to the Oam User group with predefined access rights to the system.

User Types

Following are the predefined management user types:

  • Administrative users use the Administration Console or Java Management Extensions (JMX) to interact with Services Gatekeeper.

  • PRM operator users use the Partner Relationship Management (PRM) Operator web services interfaces to interact with Services Gatekeeper.

  • PRM service provider users use the PRM Service Provider web services interfaces to interact with Services Gatekeeper.

  • PRM Network Service Supplier users use the PRM Network Service Supplier Portal to create interfaces.

When creating a management user, the user is mapped to the Weblogic Server authentication provider WLNG Operation, Administration, and Maintenance (OAM) Authenticator.

About User Levels

Management users are assigned different user levels based on which JMX resources they will be able to access. Table 3-2 lists the access privileges associated with user levels on Services Gatekeeper and WebLogic Server.

Table 3-2 User Levels and Privileges

User Level Access on Services Gatekeeper Access on WebLogic Server

1000

Administration access to management functions

Administration access:

  • View, modify, and administer server configuration.

  • Deploy applications.

  • Start, resume and stop servers.

666

read/write access on management functions

Deployer access:

  • View the server configuration, including some encrypted attributes related to deployment activities.

  • Change startup and shutdown classes, Web applications, JDBC data pool connections, EJB, Java EE Connector, web service. If applicable, edit deployment descriptors.

  • Access deployment operations in the Java EE Deployment Implementation (JSR-88).

333

Read-only access on management functions

Monitor access:

  • View the server configuration.

  • Have read-only access to Administration Console, WLST, and other MBean APIs.

0

No access to management functions;

Assigned to PRM Service Provider users internally.

Anonymous access:

No access to the console

About User Management Methods

As a system administrator, you belong to a group of administrative users who manage Services Gatekeeper and its users. Table 3-3 provides an overview of the operations that administrative users employ to oversee the users of their Services Gatekeeper installation.

Table 3-3 Operations Associated with Management Tasks

To... Use this Method in ManagementUserMBean

Create an administrative user

addUser

Change password

changeUserPassword

Delete an administrative user

deleteUser

Get user level

getUserDescription

List administrative users

listUsers

For details of these methods, see in the ”All Classes” section of Services Gatekeeper OAM Java API Reference.

Managing Access Privileges Through Policies

As an administrator you can restrict access to a subset of management interfaces by applying eXtensible Access Control Markup Language (XACML) policies.

To apply these policies to add more granular access control:

  1. Add a new management user.

  2. Create a user group.

  3. Add the user to the user group.

  4. Add an XACML policy to assign a role to the group.

  5. Add an XACML policy to the user group. Restrict access at the desired level such as MBean, MBean attribute, or MBean operation level. See ”Understanding WebLogic Resource Security” in Oracle WebLogic Server Securing Resources using Roles and Policies for Oracle WebLogic Server for a detailed description of this process.

    The basic process includes:

    • Determine a special identifier, the resourceId, for each MBean.

    • Create an XACML policy for the new security role.

    • Specify one or more rule elements that define which users, groups, or roles belong to the new security role.

    • Attach this role to the MBean using the resourceId.

You access the ManagementUserMBean and ManagementUserGroupMBean MBeans from the Administration Console (OCSG, then AdminServer, then Container Services, then ManagementUsers).

For more information, see the entries for ManagementUserMBean and ManagementUserGroupMBean, in the "All Classes" section of Services Gatekeeper OAM Java API Reference.