A global role can be used
by any security policy in a security realm (and thus can be used to
secure any resource in a WebLogic Server domain).
Note: WebLogic Server provides a set of global roles that
you can use. See Default Global roles.
If two roles conflict, the role of a narrower scope overrides the
role of the broader scope. For example, a scoped role for an EJB
resource overrides a global role.
To create a global security role:
-
In the left
pane of the Administration Console, select Security
Realms.
-
On the Summary of Security Realms page,
select the name of the realm in which you want to create the role (for
example, myrealm).
-
On the Settings page, select the
Roles and Policies tab. Then select the
Roles subtab.
The Roles page organizes all of the domain's
resources and corresponding roles in a hierarchical tree
control.
-
In the
Roles table, in the Name
column, expand the Global Roles node.
-
In the Name column, select the name of the
Roles node.
-
In the
Global Roles table click
New.
-
On the
Create a New Role for this Realm page enter the
name of the global role in the Name
field.
Note: Do
not use blank spaces, commas, hyphens, or any characters in the
following comma-separated list: \t, < >, #, |, &, ~, ?, (
), { }. Security role names are case sensitive. All security role
names are singular and the first letter is capitalized, according to
convention. The proper syntax for a security role name is as defined
for an Nmtoken
in the Extensible Markup Language (XML)
Recommendation.
-
If you have more than one role mapper configured for the realm,
from the Provider Name list select the role
mapper you want to use for this role.
Role mapping is the process whereby principals (users or groups)
are dynamically mapped to security roles at runtime. The role mapper
provider is responsible for saving your role definition in its
repository. See Configure Role Mapping
providers.
-
Click
OK to save your changes.
-
In the
Global Roles table select the role.
-
In the Role Conditions section click Add
Conditions.
-
On the Choose a Predicate page, in the
Predicate List, select a condition.
Oracle recommends that you use the Group
condition whenever possible. This condition grants the security role
to all members of the specified group (that is, multiple users).
For a description of all conditions in the Predicate
List, see Security Role Conditions.
-
The next steps depend on the condition that you chose:
- If you selected Group or
User, click Next,
enter a user or group name in the argument field, and click
Add. The names you add must match groups or
users in the security realm active for this WebLogic domain.
- If you selected a boolean predicate (Server is in
development mode , Allow access to
everyone, or Deny access to
everyone) there are no arguments to enter. Click
Finish and go to step 15.
- If you selected a context predicate, such as
Context element's name equals a numeric
constant, click Next and enter
the context name and an appropriate value. It is your
responsibility to ensure that the context name and/or value exists
at runtime.
- If you selected a time-constrained predicate, such as
Access occurs between specified hours,
click Next and provide values for the
Edit Arguments fields.
-
Click Finish.
-
(Optional)
Create additional role conditions.
-
(Optional) The WebLogic Security Service evaluates conditions in
the order they appear in the list. To change the order, select the
check box next to a condition and click the Move
Up or Move Down button.
-
(Optional)
Use other buttons in the Role Conditions
section to specify relationships between the conditions:
- Select And/Or between expressions to
switch the
and
/
or
statements.
- Click Combine or
Uncombine to merge or unmerge selected
expressions. See Combine Conditions.
- Click Negate to make a condition
negative; for example, NOT Group Operators
excludes the Operators group from the role.
-
Click
Save.
After you finish
Create security policies that determine which roles can access
resources. See Create policies for
resource instances.