Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Create global security roles

Before you begin

Create users and groups. See Manage users and groups.

A global role can be used by any security policy in a security realm (and thus can be used to secure any resource in a WebLogic Server domain).

Note: WebLogic Server provides a set of global roles that you can use. See Default Global roles.

If two roles conflict, the role of a narrower scope overrides the role of the broader scope. For example, a scoped role for an EJB resource overrides a global role.

To create a global security role:

  1. In the left pane of the Administration Console, select Security Realms.
  2. On the Summary of Security Realms page, select the name of the realm in which you want to create the role (for example, myrealm).
  3. On the Settings page, select the Roles and Policies tab. Then select the Roles subtab.

    The Roles page organizes all of the domain's resources and corresponding roles in a hierarchical tree control.

  4. In the Roles table, in the Name column, expand the Global Roles node.
  5. In the Name column, select the name of the Roles node.
  6. In the Global Roles table click New.
  7. On the Create a New Role for this Realm page enter the name of the global role in the Name field.

    Note: Do not use blank spaces, commas, hyphens, or any characters in the following comma-separated list: \t, < >, #, |, &, ~, ?, ( ), { }. Security role names are case sensitive. All security role names are singular and the first letter is capitalized, according to convention. The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language (XML) Recommendation.

  8. If you have more than one role mapper configured for the realm, from the Provider Name list select the role mapper you want to use for this role.

    Role mapping is the process whereby principals (users or groups) are dynamically mapped to security roles at runtime. The role mapper provider is responsible for saving your role definition in its repository. See Configure Role Mapping providers.

  9. Click OK to save your changes.
  10. In the Global Roles table select the role.
  11. In the Role Conditions section click Add Conditions.
  12. On the Choose a Predicate page, in the Predicate List, select a condition.

    Oracle recommends that you use the Group condition whenever possible. This condition grants the security role to all members of the specified group (that is, multiple users).

    For a description of all conditions in the Predicate List, see Security Role Conditions.

  13. The next steps depend on the condition that you chose:
    • If you selected Group or User, click Next, enter a user or group name in the argument field, and click Add. The names you add must match groups or users in the security realm active for this WebLogic domain.
    • If you selected a boolean predicate (Server is in development mode , Allow access to everyone, or Deny access to everyone) there are no arguments to enter. Click Finish and go to step 15.
    • If you selected a context predicate, such as Context element's name equals a numeric constant, click Next and enter the context name and an appropriate value. It is your responsibility to ensure that the context name and/or value exists at runtime.
    • If you selected a time-constrained predicate, such as Access occurs between specified hours, click Next and provide values for the Edit Arguments fields.
  14. Click Finish.
  15. (Optional) Create additional role conditions.
  16. (Optional) The WebLogic Security Service evaluates conditions in the order they appear in the list. To change the order, select the check box next to a condition and click the Move Up or Move Down button.
  17. (Optional) Use other buttons in the Role Conditions section to specify relationships between the conditions:
    • Select And/Or between expressions to switch the and / or statements.
    • Click Combine or Uncombine to merge or unmerge selected expressions. See Combine Conditions.
    • Click Negate to make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
  18. Click Save.

After you finish

Create security policies that determine which roles can access resources. See Create policies for resource instances.

Back to Top