In SOA Suite 11g, Enterprise Manager provides a wide variety of monitoring and management functions to an administrator. At most customers I have worked at this level of control is not given to all users, especially in QA/UAT or Production environments. Fortunately, Enterprise Manager provides functionality to provide different levels of access to different users and groups. At a current customer we need to provide a group of users and developers access to view service status and health, composite instances, and audit trails. At the same time these users are not allowed to have permission to change any settings.
The first step in setting this up was to create a set of Weblogic groups. We were not using any external LDAP so these groups were created in the internal Weblogic LDAP.
We used the following list of groups and permissions. The Operator and Administrator groups were already available within Weblogic.
|SOAAuditViewer||Service Status/Health, Composite Instance and Audit Details|
|Operator||Service Control (Stop/Start/Deploy composites)|
|Administrator||Full access including security configuration|
Next, create an operator user and an auditviewer user to test the permissions. Place the operator user in the Operator group and the auditviewer user in the SOAAuditViewer group.
Then log in to Enterprise Manager, right click on your domain and select Security -> Application Roles.
Select soa-infra as the Application Stripe to search and click the search button. You should see a list like the one below of all of the roles available.
|SOAAdmin||Full access including security settings|
|SOAOperator||Service control (Start/Stop/Deploy composites)|
|SOAMonitor||Read Only access|
|SOAAuditAdmin||Access to modify audit levels|
|SOAAuditViewer||Access to instance and audit details|
Click on the SOAMonitor role. On the role detail page click Add Group and then the search icon on the dialog. This will list all of the WLS groups available. Select the SOAAuditViewer group and move it to the right. You should now see 2 groups listed.
Now repeat these steps for the SOAAuditViewer role and the SOAAuditViewer group.
The SOAOperator role should already be assigned to the Operators group.
You can now try logging out of Enterprise Manager and logging back in as the auditviewer user. You should now have read only access as shown below.
Now log out and log back in as the operator user. You should not have permission to stop, start and deploy composites. If you attempt to go to a security related page you will see you do not have access.
You will now have groups setup to allow users limited access to Enterprise Manager in controlled environments. You can now create any additional groups you require with different combinations of the provided roles.