17 Securing Oracle BAM

This chapter describes how to create users, groups, and roles with different levels of access to Oracle Business Activity Monitoring (Oracle BAM). It also describes how to configure security for Oracle BAM in Oracle WebLogic Server.

This chapter includes the following sections:

• Understanding Oracle BAM Security

• Understanding Oracle BAM Permissions

• Managing Oracle BAM Users

• Configuring BAM Server Security

17.1 Understanding Oracle BAM Security

Oracle BAM security depends on Oracle WebLogic Server security.

Oracle BAM users and groups are created in the Oracle WebLogic Server Administration Console. Roles that correspond to and grant default permissions to BAM groups are defined in Oracle Enterprise Manager Fusion Middleware Control.

17.2 Understanding Oracle BAM Permissions

Each entity in Oracle BAM has permissions that can be assigned to BAM users. All entities that are part of a project inherit the project permissions by default. Data object security includes metadata security and data (row) security.

Permissions for BAM entities are as follows:

• Read — Permission to view the entity, or the metadata of a data object.

• Write — Permission to edit the entity, or the metadata of a data object. Write permission automatically includes Read permission.

• Remove — Permission to delete the entity.

• Select — Permission to select, or read, the data in a data object. Applies only to data objects.

  This is the minimum permission needed for using a data object in business queries, business views, dashboards, and other Designer entities.

• Delete — Permission to delete data object rows. Applies only to data objects.

• Update — Permission to update or insert data object rows. Applies only to data objects.

• Security — Permission to set these permissions for other users of this entity.

Permissions can be granted or denied. All granted permissions are combined using OR logic during runtime authorization. For example, if a user has multiple roles, and if any of these roles is granted access permission to an entity, then the user can access the entity.

However, an Administrator user or the entity owner can explicitly deny access permission to a specific role. All denied permissions are combined using AND logic during runtime authorization, and denied permissions override granted permissions. If any role the user has is denied access to an entity, then the user can't access the entity, even if his other roles grant permission to access it.

For more information about permissions for specific BAM entities, see the following sections:

• Securing a Project

• Securing a Business Query

• Securing a KPI

• Securing a Business View

• Securing a Dashboard

• Securing an Alert

• Securing a Parameter

• Securing a Data Object

• Securing an Enterprise Message Source

17.3 Managing Oracle BAM Users

Oracle BAM provides user roles to control visibility and access. In addition to managing pre-defined user roles, you can also create your own.

This section contains the following topics:

• Predefined Groups and Roles

• Adding Users to Groups

• Creating Custom Groups

• Creating Custom Roles

17.3.1 Predefined Groups and Roles

Table 17-1 describes the predefined groups and roles in Oracle BAM. All BAM users must be in the BAMUsers group in addition to any other groups.

Table 17-1 Oracle BAM Predefined Security Groups and Roles

Group	Role	Description
BAMContentViewer	BAMContentViewer	Can view dashboards and alert history on the Home page.
BAMContentCreator	BAMContentCreator	Can perform all BAMContentViewer tasks. Can view data objects and create projects, dashboards, alerts, and all components thereof on the Designer page.
BAMArchitect	BAMArchitect	Can create and modify data objects and Enterprise Message Sources on the Administrator page.
BAMAdministrator	BAMAdministrator	Can perform all tasks of other roles. Can create and modify users, groups, roles, and permissions. Can modify the Oracle BAM system configuration.
BAMUsers	(none)	Can log in to Oracle BAM and view the Home page.

By default, users who are only in the BAMUsers group can log in but have no permissions. Also by default, users in the BAMContentViewer group and role have Read permissions.

The DefaultDataAccess property changes some default permissions. If set to off, users in the BAMContentViewer and BAMContentCreator groups do not have Read, Select, or Update permissions for data objects by default. If set to on, these groups do have these permissions by default. The property default is on. To set this property, see Configuring BAM Server MBean Properties.

17.3.2 Adding Users to Groups

You configure Oracle BAM users and assign them to groups in the Oracle WebLogic Server Administration Console. Assigning users to groups automatically assigns them to the corresponding roles.

For complete details, see Create Users and Add Users to Groups in the Oracle WebLogic Server Administration Console Online Help.

To add users and assign them to groups:

1. Access the Oracle WebLogic Server console using a URL that includes the Oracle WebLogic Server hostname and the console port:

   http://wls-hostname:console-port/console
   

   For example:

   http://localhost:7011/console
   

2. Log in using the Oracle WebLogic Server admin username and password.
3. In the left pane of the Oracle WebLogic Server Administration Console, select Security Realms.
4. On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
5. On the Settings for Realm Name page, select Users and Groups > Users.
6. Click New.
7. In the Name field of the Create New User page, enter a unique alphanumeric name for the user.
8. In the Description field, enter a description. The description might be the user's full name. This is optional.
9. In the Provider drop-down list, select DefaultAuthenticator.
10. In the Password field, enter a password for the user.

    The minimum password length is 8 characters. Do not use the username/password combination weblogic/welcome1 in production.

11. Re-enter the password for the user in the Confirm Password field.
12. Click OK to save your changes.
13. Click the name of the new user in the User table.
14. On the Settings for User Name page, select Groups.
15. Select the BAMUsers group and at least one other BAM group from the Available list box and move them to the Chosen list box. See Table 17-1 for descriptions of the BAM groups.
16. Click Save.

17.3.3 Creating Custom Groups

You can create custom groups for Oracle BAM in the Oracle WebLogic Server Administration Console. After you create a custom group, you can create a custom role and assign the group to the role.

To create a new group:

1. Access the Oracle WebLogic Server console using a URL that includes the Oracle WebLogic Server hostname and the console port:

   http://wls-hostname:console-port/console
   

   For example:

   http://localhost:7011/console
   

2. Log in using the Oracle WebLogic Server admin username and password.
3. In the left pane of the Oracle WebLogic Server Administration Console, select Security Realms.
4. On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
5. On the Settings for Realm Name page, select Users and Groups.
6. Select the Groups tab, and click New.
7. Enter the group name and description. Do not change the provider.
8. Click OK.

17.3.4 Creating Custom Roles

You can create custom roles for custom Oracle BAM groups in Fusion Middleware Control. For more information, see Managing Application Roles in Securing Applications with Oracle Platform Security Services.

17.4 Configuring Oracle BAM Server Security

Security is configured in Oracle WebLogic Server.

See Configuring Security for a WebLogic Domain in Administering Security for Oracle WebLogic Server. For more information on Oracle WebLogic Server security, see Overview of the WebLogic Security Service in Understanding Security for Oracle WebLogic Server

The following topics address security for Oracle BAM:

• Configuring Credential Mapping

• Configuring Secure Socket Layer

17.4.1 Configuring Credential Mapping

Configure Oracle BAM Adapter to securely store user name and password properties using Oracle WebLogic Server credential mapping functionality.

Note:

Use plain text user names and passwords only in nonproduction mode. Do not mix using credential mapping and plain text user information; apply one at a time to avoid confusion.

To configure credential mapping:

1. Using the Oracle WebLogic Server Administration Console, go to Deployment > OracleBamAdapter > Security > Credential Mappings.

   Note:

2. Click New and select an outbound connection pool instance for which to create a credential mapping entry, then click Next (By default, Oracle BAM is installed with two connection pools, eis/bam/rmi and eis/bam/soap).

   Note:

   Ensure that a separate credential mapping entry for each outbound connection pool is created. If there are any additional outbound connection pools other than the defaults, you must create corresponding credential mappings for them as well.

3. Select Unauthenticated WLS User, and click Next (Unauthenticated WLS User is similar to an anonymous user).
4. Specify a corresponding user name and password for connecting to Oracle BAM Server, then click Finish to complete the credential mapping.
5. Repeat these steps to create the credential mapping for the other Oracle BAM connection pool entries.

   After you configure the credential mappings for each of the outbound connection pool entries, the mappings appear in the Credential Mappings table.

6. For these changes to take effect, Oracle WebLogic Server must be restarted.

17.4.2 Configuring Secure Socket Layer

Oracle WebLogic Server provides the facilities needed to enable Secure Socket Layer (SSL) on any Oracle SOA Suite and Oracle WebCenter Portal connections into Oracle WebLogic Server.

Use the Java Development Kit (JDK) keytool utility to create and manage keystores and certificates, and use the Oracle WebLogic Server Administration Console to configure Oracle WebLogic Server listeners.

For more information, see Configuring SSL in Administering Security for Oracle WebLogic Server.

Oracle WebLogic Server lets you configure Oracle BAM to run on both SSL and non-SSL ports. However, when Oracle BAM is running on both SSL and non-SSL ports, it cannot send two Oracle BAM report URLs to the alert email receiver. It is the responsibility of the administrator to decide which mode of access (SSL or non-SSL) to use for the Oracle BAM report URL recipients.

To start Oracle BAM in SSL mode, and enable Oracle BAM clients (like BAMCommand) to invoke EJBs, JMS resources, and JDBC resources using SSL, you must configure the following Oracle BAM properties:

• Communication_Protocol in the BAMServerConfig.xml file, as follows:

  Default value: <Communication_Protocol>t3</Communication_Protocol>

  For SSL using t3s: <Communication_Protocol>t3s</Communication_Protocol>

• protocol and port in the BAMCommandConfig.xml file, as follows:

  Default value: <protocol>t3</protocol>

  Default value: <port>listenport</port>

  For SSL using t3s: <protocol>t3s</protocol>

• ListenPort in BAMCommonConfig.xml file, as follows:

  Default value: <ListenPort>ListenPort</ListenPort>

  For SSL: <ListenPort>SSLListenPort</ListenPort>