AVIO Consulting

Utilizing Roles to Restrict Functionality in Enterprise Manager

Jul 19, 2011 | BPM

In SOA Suite 11g, Enterprise Manager provides a wide variety of monitoring and management functions to an administrator.  At most customers I have worked at this level of control is not given to all users, especially in QA/UAT or Production environments.  Fortunately, Enterprise Manager provides functionality to provide different levels of access to different users and groups.  At a current customer we need to provide a group of users and developers access to view service status and health, composite instances, and audit trails.  At the same time these users are not allowed to have permission to change any settings.  

The first step in setting this up was to create a set of Weblogic groups.  We were not using any external LDAP so these groups were created in the internal Weblogic LDAP.  

We used the following list of groups and permissions.  The Operator and Administrator groups were already available within Weblogic.

Group Permission
SOAAuditViewer Service Status/Health, Composite Instance and Audit Details
Operator Service Control (Stop/Start/Deploy composites)
Administrator Full access including security configuration


Next, create an operator user and an auditviewer user to test the permissions.  Place the operator user in the Operator group and the auditviewer user in the SOAAuditViewer group.


audit viewer settings


Then log in to Enterprise Manager, right click on your domain and select Security -> Application Roles.

application roles

Select soa-infra as the Application Stripe to search and click the search button.  You should see a list like the one below of all of the roles available.

Role Permission
SOAAdmin Full access including security settings
SOAOperator Service control (Start/Stop/Deploy composites)
SOAMonitor Read Only access
SOAAuditAdmin Access to modify audit levels
SOAAuditViewer Access to instance and audit details

edit application roles


Click on the SOAMonitor role. On the role detail page click Add Group and then the search icon on the dialog. This will list all of the WLS groups available. Select the SOAAuditViewer group and move it to the right.  You should now see 2 groups listed.

add group


Now repeat these steps for the SOAAuditViewer role and the SOAAuditViewer group.

The SOAOperator role should already be assigned to the Operators group.

You can now try logging out of Enterprise Manager and logging back in as the auditviewer user. You should now have read only access as shown below. 


Now log out and log back in as the operator user. You should not have permission to stop, start and deploy composites.  If you attempt to go to a security related page you will see you do not have access.


error message

You will now have groups setup to allow users limited access to Enterprise Manager in controlled environments.  You can now create any additional groups you require with different combinations of the provided roles.