Oracle Cloud Infrastructure Documentation

Setting Up Required IAM Policy

The Set up policy feature creates the policies required to use WebLogic Management. These required policies must be set at the root compartment (tenancy) by a tenancy administrator, otherwise, WebLogic Management can't discover domains.

User groups, dynamic groups and IAM policies specify which users and services can access certain OCI resources. You must identify which WebLogic Management resources the service can manage and which users can manage those resources. To do this, define user groups, dynamic groups, and then set up the required IAM policy.

If you're new to policies, see Getting Started with Policies. If you have specific policy requirements or use cases, see Policies and Permissions for more information.

Required policy statements

The Set up policy feature creates the following policy statements that are required policy to use the service.

Policy statement Description
Allow group $USER_GROUP to manage instance-family in compartment id $COMPARTMENT_ID

Allows the user group to manage WebLogic Management plugin in the compartment and its subcompartments.
Allow group $USER_GROUP to read instance-agent-plugins in compartment id $COMPARTMENT_ID

Allows the user group to interact with the WebLogic Management plugin in the compartment and its subcompartments.
Allow group $USER_GROUP to manage wlms-family in compartment id $COMPARTMENT_ID

Allows the user group to manage all WebLogic Management resources in the compartment and its subcompartments.
Allow group $USER_GROUP to use wlms-config in tenancy

Allows the user group to read and update the WebLogic Management Service configuration for the tenancy.
Allow group $USER_GROUP to manage secrets in compartment id $COMPARTMENT_ID

Allows the user group to manage OCI secrets in the compartment and its subcompartments.
Allow dynamic-group $DYNAMIC_GROUP to read secret-bundles in compartment id $COMPARTMENT_ID

Allows the WebLogic Management plugin to read OCI secrets in the compartment and its subcompartments.
Allow dynamic-group $DYNAMIC_GROUP to use wlms-managed-instance-plugins in tenancy

Allows the WebLogic Management plugin to use the WebLogic Management service.
Allow resource wlms server-components to read instance-family in compartment id $COMPARTMENT_ID

Allows the WebLogic Management plugin to check the status of OCI instances.
Set up policies

  1. Verify you have the manage policies in tenancy permission. If you only have read or use permissions, you get an authorization error.

  2. Open the navigation menu and click Observability & Management. Under WebLogic Management, click Overview.
  3. Under List scope, select the compartment that contains the WebLogic domains running on OCI managed instances.
  4. Click Set up policy.
  5. In the Set up policy panel, provide the required information:
    1. Policy name: Accept the default name or enter a friendly name for the policy.
    2. Target compartment: Select the compartment to grant permissions to use the service.
    3. Identity domain: Select the identity domain where the user group and dynamic group resides.
    4. User group: Select a user group to grant permission to use the service.
    5. Dynamic group: Select a dynamic group to grant permissions to use the service.
    Note

    If you are not ready or do not have permission to set up the policies, click Copy policy statements. Then, use these statements to manually create the required policies or give them to the tenancy administrator.
  6. Click Set up.