7 Managing Permissions and Roles for Oracle SOA Suite Users

Support for SOA permissions and roles changed between 11g and 12c as follows:

  • In 11g, Oracle SOA Suite APIs and runtime were protected using Oracle SOA Suite application roles and Oracle Enterprise Manager Fusion Middleware Control protected user actions with the Oracle WebLogic Server role. Role mapping was required.

  • In 12c, Oracle SOA Suite APIs and runtime and Oracle Enterprise Manager Fusion Middleware Control both protect user actions and the user interface using Oracle SOA Suite permissions. (Oracle SOA Suite application roles are defined by a set of permissions.) Therefore, mapping a user to one of the application roles gives them the required permissions.

Note:

By assigning a user to a particular role, the user gets the default permissions associated with that role. Subsequently, permissions associated with a particular role or user can be customized by managing application policies.
For more information about SOA permissions and roles, see Understanding Additional Permission and Role Behavior Scenarios.

7.1 Creating a WebLogic Server User

To create a user login to the WebLogic Server Administration Console:

  1. Log in to WebLogic Server Administration Control Console, and click Security Realms in the left pane.
  2. On the Summary of Security Realms page, select the name of the realm.
  3. On the Settings for Realm Name page select Users and Groups, then the Users tab, then click New.
  4. In the Name field of the Create New User page enter a unique name for the user.
  5. (Optional) In the Description field, enter a description. The description might be the user's full name.
  6. In the Provider drop-down list, select DefaultAuthenticator.
  7. In the Password field, enter a password for the new user, then reenter the password in the Confirm Password field.
  8. Click OK.

For more information about how to create roles, add users to groups, and secure resources with roles and policies in Oracle WebLogic Server, see Users, Groups, and Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

7.2 Assigning a WebLogic Server Role to a User

To assign a WebLogic Server role to a user:, add the user to a group:

  1. In the WebLogic Server Administration Control Console Users table, select the user you want to add to a group.
  2. On the Settings for User Name page, select Groups.
  3. Select a group from the Available list box.

    Some of the default groups available in WebLogic Server are:

    Group Name Membership
    Administrators By default, this group contains the user information entered as part of the installation process (that is, the Configuration Wizard), and the system user if the WebLogic Server instance is running Compatibility security. Any user assigned to the Administrators group is granted the Admin security role by default.
    Deployers By default, this group is empty. Any user assigned to the Deployers group is granted the Deployer security role by default.
    Operators By default, this group is empty. Any user assigned to the Operators group is granted the Operator security role by default.
    Monitors By default, this group is empty. Any user assigned to the Monitors group is granted the Monitor security role by default.
    AppTesters By default, this group is empty. Any user assigned to the AppTesters group is granted the AppTester security role by default.
    CrossDomainConnectors By default, this group is empty. Any user assigned to the CrossDomainConnectors group is granted the CrossDomainConnector security role by default.
    AdminChannelUsers By default, this group is empty. Any user assigned to the AdminChannelUsers group is granted the AdminChannelUser security role by default
  4. Click Save.

7.3 Assigning a SOA Role to a User

A user can be assigned an application-level role (such as SOAMonitor) or a folder-specific role (for example, default_Monitor for the default folder).

Note:

Roles can also be added to a group or another application role.

To assign a SOA role to a user, use Oracle Enterprise Manager Fusion Middleware Control:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control as an Administrator.
  2. From the SOA Infrastructure menu, select Security, then Application Roles.SOA Infrastructure menu in Oracle Enterprise Manager Fusion Middleware Control
  3. In the list, select the role that you want to grant to the user and click Edit.

    The following screenshot shows the available SOA roles. By assigning a user to one of these roles, the user has the associated permissions for all of the folders and partitions in the SOA application.

    SOA roles in Oracle Enterprise Manager Fusion Middleware Control
  4. In the Edit Application Role page, click Add.
  5. In the Add Principal dialog, from the Type list, and select User.
  6. In the Principal Name list, select the user and click OK.

    The selected user is given the selected role.

    SOA user assigned SOA role

7.4 Customize Role Permissions

You can customize permissions associated with a particular role or user by managing application policies.

To customize role permissions:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control as an Administrator.
  2. From the SOA Infrastructure menu, select Security, then Application Policies.SOA Infrastructure menu in Oracle Enterprise Manager Fusion Middleware Control
  3. In the list, select the row showing the user and role for which you want to customize permissions and click Edit.Users and role assignments in Oracle Enterprise Manager Fusion Middleware Control
  4. In the Edit Application Grant page, click Edit and edit the permissions as required.SOA user assigned SOA role

    The following table lists the permissions for the default roles in Oracle Enterprise Manager. Note that these roles can be altered or new roles can be created with required permissions.

    Role CompositePermission SOAPlatformPermission InstancePermission
    SOAMonitor read, read-alerts on all folders/partitions read monitor, read-payload
    SOAOperator read, write, provision, lifecycle, read-alerts, manage-alerts read, write-shared-data, read-shared-data change-state, monitor, manage-fault, read-payload, test
    SOADesigner read, write, provision read, write-shared-data, read-shared-data N/A
    SOAAdmin All All All

    where

    • CompositePermission represents permissions to invoke an operation on composites. Permissions include:
      • read - read-only actions, including:
        • view composite configuration
        • get default version
        • get composite metadata (export_composite, export_updates, and so on)
        • list deployed composites for a partition
      • write - actions resulting in modifications of composites, including:
        • import updates
      • provision - actions resulting in composite provisions, including:
        • deploy
        • undeploy
        • delete a SOA partition, removing all composites for that partition as a result
      • lifecycle - actions resulting in composite lifecycle state changes, including:
        • start
        • stop
        • activate
        • retire
        • assign default version
      • read-alerts - read all forms of alerts/notifications on configuration actions
      • manage-alerts - manage all forms of alerts/notifications on configuration actions
    • SOAPlatformPermission represents access to configuration operations on SOA server, including viewing and updating the server URL, logging, auditing, and so on. Permissions include:
      • read - view SOA server configuration.
      • write - modify SOA server configuration.
      • write-shared-data - deploy/remove shared composite resources.
      • read-shared-data - export shared composite resources.
    • InstancePermission represents permissions to invoke SOA runt ime operations such as audit trails and fault recovery. Permissions include:
      • monitor - read access to composite instances, including actions such as getNumberOfFaults, getNumberOfCompositeInstances, getNumberOfFaultInstances, getCompositeInstances, getComponentSnapshot, getAuditFlow, getSensorData, and so on.
      • read-payload - along with monitor permission, provides additional ability to view the payload of the run time instances.
      • change-state - access to instance state change actions including:
        • suspend a flow
        • resume a flow
      • manage-fault - access to fault management actions including:
        • recover a fault
        • abort instances
      • delete - ability to delete or purge composite instances and delete rejected messages.
      • modify-payload - along with change-state, provides additional ability to modify payload.
      • migrate - access to composite migration actions.
      • test - access to composite test methods.
  5. Click OK.

The following examples show permissions required to access certain functionality in Oracle Enterprise Manager Fusion Middleware Control.

Functionality Permissions Required
Access Flow Instance tab

oracle.fabric.permission.InstancePermission with monitor permission

oracle.fabric.permission.CompositePermission with read permission

Start/stop/activate/retire a composite

oracle.fabric.permission.CompositePermission with read permission

oracle.fabric.permission.CompositePermission with lifecycle permission

Deploy/undeploy/redeploy composite

oracle.fabric.permission.SOAPlatformPermission with write permission

oracle.fabric.permission.CompositePermission with write permission

Terminate/recover an instance

oracle.fabric.permission.InstancePermission with manage-fault permission

oracle.fabric.permission.InstancePermission with monitor permission

Delete a flow instance oracle.fabric.permission.InstancePermission with delete and monitor permissions

7.5 Assigning SOA Folder Roles to a User

For information about managing SOA folders, see Managing SOA Folders.

Note:

All folders are automatically secured with application roles and folder roles.

To assign a SOA folder role to a user:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control with a user account that includes the Oracle WebLogic Server Admin role.
  2. From the SOA Infrastructure menu, select Security, then Application Roles.SOA Infrastructure menu in Oracle Enterprise Manager Fusion Middleware Control
  3. In the list, select the required role that you want to assign to the user and click Edit.

    Folder-based roles are named using the convention folder-name_folder-role. For example, some of the roles available for folder test may be as shown here:

    Folder roles in Oracle Enterprise Manager Fusion Middleware Control
  4. In the Edit Application Role page, click Add.
  5. In the Add Principal dialog, from the Type list, select User.
  6. In the Principal Name list, select the user and click OK.

    The selected user is granted the permissions associated with the selected folder role.