July 19 2011

In SOA Suite 11g, Enterprise Manager provides a wide variety of monitoring and management functions to an administrator.  At most customers I have worked at this level of control is not given to all users, especially in QA/UAT or Production environments.  Fortunately, Enterprise Manager provides functionality to provide different levels of access to different users and groups.  At a current customer we need to provide a group of users and developers access to view service status and health, composite instances, and audit trails.  At the same time these users are not allowed to have permission to change any settings.  

The first step in setting this up was to create a set of Weblogic groups.  We were not using any external LDAP so these groups were created in the internal Weblogic LDAP.  

We used the following list of groups and permissions.  The Operator and Administrator groups were already available within Weblogic.

Group Permission
SOAAuditViewer Service Status/Health, Composite Instance and Audit Details
Operator Service Control (Stop/Start/Deploy composites)
Administrator Full access including security configuration

Next, create an operator user and an auditviewer user to test the permissions.  Place the operator user in the Operator group and the auditviewer user in the SOAAuditViewer group.

 

Then log in to Enterprise Manager, right click on your domain and select Security -> Application Roles.

Select soa-infra as the Application Stripe to search and click the search button.  You should see a list like the one below of all of the roles available.

Role Permission
SOAAdmin Full access including security settings
SOAOperator Service control (Start/Stop/Deploy composites)
SOAMonitor Read Only access
SOAAuditAdmin Access to modify audit levels
SOAAuditViewer Access to instance and audit details

 

Click on the SOAMonitor role. On the role detail page click Add Group and then the search icon on the dialog. This will list all of the WLS groups available. Select the SOAAuditViewer group and move it to the right.  You should now see 2 groups listed.

Now repeat these steps for the SOAAuditViewer role and the SOAAuditViewer group.

The SOAOperator role should already be assigned to the Operators group.

You can now try logging out of Enterprise Manager and logging back in as the auditviewer user. You should now have read only access as shown below. 

Now log out and log back in as the operator user. You should not have permission to stop, start and deploy composites.  If you attempt to go to a security related page you will see you do not have access.

You will now have groups setup to allow users limited access to Enterprise Manager in controlled environments.  You can now create any additional groups you require with different combinations of the provided roles.

About the Author

Adam Desjardin

Adam DesJardin is the Chief Technology Officer for AVIO Consulting.  Adam focuses on technical strategy, standards and delivery both within AVIO and for our customers.  Prior to joining AVIO in 2007, Adam held various consulting and architecture positions at Fuego and BEA Systems where he developed and delivered process and service driven solutions.

Join the Conversation

April 21, 2014

how to do it with LDAP configured environments?

 

I have invalid username/password message is displating while deploying from em console. i am logging in as administrator.

Enter your first name. It will only be used to display with your comment.
Enter your email. This will be used to validate you as a real user but will NOT be displayed with the comment.
By submitting this form, you accept the Mollom privacy policy.