4 Managing Users in Oracle API Manager

This chapter describes managing users in Oracle API Manager.

The following topics are covered:

4.1 Managing Users

API Manager users are managed using Fusion Middleware Control. An administrative user creates groups in Fusion Middleware Control, maps application roles to these groups, creates users, and then assigns users to groups.

Use this URL to log onto Fusion Middleware Control:

http://administration_server_host:administration_server_port/em

The Administration Server host and port number were in the URL on the Configuration Success screen (Writing Down Your Domain Home and Administration Server URL). The default Administration Server port number is 7001.

Note:

The tasks in this section describe creating users and assigning roles using Fusion Middleware Control. You can also use an LDAP Authentication provider to manage users. See "Configuring LDAP Authentication Providers" in Administering Security for Oracle WebLogic Server for more information.

4.1.1 Create Groups for API Manager Roles

Use Fusion Middleware Control to create groups that map to the API Manager roles.

See Understanding User Roles in Oracle API Manager for additional information about the API Manager user roles.

You must complete this task multiple times to create the following groups:

  • API Admin

  • API Consumer

  • API Curator

  • Developer

You do not need to create groups for the following Service Bus groups, which are available OOTB:

  • Administrators

  • Deployers

  • Monitors

To create a group:

  1. Log in to Fusion Middleware Control as a user with administrator privileges.
  2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
  3. Click the Groups tab.
  4. Click Create.
  5. From the Create a New Group page, define the following properties for the groups listed above:
    • Name (must be unique)
    • Description
    • Provider
  6. Click Create.
  7. Repeat steps 4 through 6 to create the remaining groups.

When finished, complete the task described in Assign Application Roles to Groups Using Fusion Middleware Control.

4.1.2 Assign Application Roles to Groups Using Fusion Middleware Control

After you have created groups that correspond with the roles in API Manager, you must assign application roles to these groups. After completing this task, any users assigned to the specified groups will be granted the applicable application role.

To assign application roles to groups:
  1. Log in to Fusion Middleware Control as a user with administrative privileges.
  2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Application Roles to display the Application Roles page.
  3. Select Service_Bus_Console from the Application Stripe list, and then click the Search Application Roles icon.
  4. Map the API Curator application role to the API Curator group:
    1. Select APICurator from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the API Curator group, and then click OK to close the dialog.
    5. Click OK.
  5. Map the Developer application role to the API Developer group:
    1. Select Developer from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the API Developer group, and then click OK to close the dialog.
    5. Click OK.
  6. Map the Deployer application role to the Deployers group:
    1. Select Deployer from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the Deployers group, and then click OK to close the dialog.
    5. Click OK.
  7. Map the Monitor application role to the Monitors group:
    1. Select Monitor from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the Monitors group, and then click OK to close the dialog.
    5. Click OK.
  8. Select API_Manager from the Application Stripe list, and then click the Search Application Roles icon.
  9. Map the API Admin application role to the API Admin group:
    1. Select APIApplicationAdminsitrator from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the API Admin group, and then click OK to close the dialog.
    5. Click OK.
  10. Map the API Consumer application role to the API Consumer group:
    1. Select APIConsumer from the list of application roles, and then click Edit.
    2. From the Members region, click Add.
    3. From the Add Principal dialog, select Group from the Type list, and then click the Search icon.
    4. Select the API Consumer group, and then click OK to close the dialog.
    5. Click OK.

You do not need to assign application roles to the Administrator Service Bus group. This is done OOTB.

When finished, complete the task described in Creating API Manager Users.

4.1.3 Creating API Manager Users

You create API Manager users with Fusion Middleware Control.

You should create at least one user for each of the following roles:

  • API Admin

  • API Consumer

  • API Curator

  • API Developer

  • Deployers

  • Monitors

Caution:

Do not use any of the following characters in user names: ; , + = \ (double back-slashes can be used; for example smith\\). Do not begin a user name with a pound sign (#) or double quotes ("). Creating a user with any of the preceding invalid characters can corrupt the WebLogic domain.

To create API Manager users:

  1. Log in to Fusion Middleware Control as a user with administrator privileges.
  2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page
  3. Click the Users tab.
  4. Above the Users table click Create.
  5. In the Name field of the Create New User dialog enter the login ID of the user.
  6. Optionally, in the Description field, enter a short description to help identify the user.
  7. In the Provider drop-down list, select the authentication provider for the user.
  8. In the Password field, enter a password for the user. The password must be 8 characters or more.
  9. Re-enter the password for the user in the Confirm Password field.
  10. Click Create to save your changes.
  11. Repeat steps 4 through 10 to create the remaining users.

The user name appears in the User table

When finished, complete the task described in Assigning Users to Groups.

4.1.4 Add Groups to the Monitors Parent Group

All users accessing the Service Bus console must be a member of the Monitors group. The easiest way to assign these users to the Monitors group is to add their parent groups to the Monitors group.

You must add these groups to the Monitors group:

  • API Curator

  • API Developer

  • Deployers

Note:

All users accessing the Service Bus Console must be added to the Monitors parent group or to a group that is a member of the Monitors parent group. Ensure that you have completed this task if you hare having trouble accessing the Service Bus Console with an appropriate user.

To add groups to the Monitors parent group:
  1. Log in to Fusion Middleware Control as a user with administrator privileges.
  2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
  3. Click the Groups tab.
  4. Click the group you want to add to Monitors. As an example, click API Curator.
  5. Click the Membership tab.
  6. Select the Monitors group from the Available list, and then click the Right Arrow (>) icon to move the Monitors group to the Chosen list.
  7. Click Save, and then click the Users and Groups link to return to the Users and Groups page.
  8. Repeat steps 4 though 7 for each of the remaining groups.
When finished, complete the task described in Assigning Users to Groups.

4.1.5 Assigning Users to Groups

You add users to the appropriate groups to grant role permissions associated with that group. For example, assign a user to the API Curator group to grant that user permissions associated with the API Curator role.

You should create at least one user for each role, and then add users to the groups that correspond with their intended roles:

  • API Admin

  • API Consumer

  • API Curator

  • API Developer

  • Deployers

  • Monitors

To add API Manager users to groups:

  1. Log in to Fusion Middleware Control as a user with administrator privileges.
  2. In the Target Navigator, expand WebLogic Domain, and right-click the name of your domain. Navigate to Security > Users and Groups to display the Users and Groups page.
  3. Click the Users tab.
  4. In the Users table, click the name of the user you created in Creating API Manager Users.
  5. From the Setting for User page, click the Groups tab.
  6. Select the groups to which you want to add the user and then click the right arrow to add them to the Chosen list. As an example, an API Curator user should be added to the API Curator group.
  7. Click Save , and then click the Users and Groups links, as shown in the following figure, to return to the Users and Groups page.
  8. Repeat steps 4 through 7 for each user you created in Creating API Manager Users.

4.2 Next Steps

The next steps include curating APIs using Oracle Service Bus, discovering and using APIs from the API Manager Portal, and administering API Manager.

See Using Oracle API Manager for more information.