edocs Home > Oracle WebLogic Server Documentation > Administration Console Online Help > Create JMX policies

Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Create JMX policies

Before you begin

Delegate MBean authorization to the realm


Almost all tasks that you complete in the Administration Console use Java Management Extensions (JMX) to invoke an operation in an underlying managed bean (MBean) or modify an MBean attribute. Oracle provides a default set of JMX resources and policies to protect WebLogic Server MBeans (see Default Security Policies for MBeans). You can use the Administration Console to modify the default policies on these resources or create new policies.

Caution: MBean attributes and operations that represent particularly sensitive data or actions are protected by two sets of resources. Make sure that any modifications you make to the default MBean policies do not prevent a user from being authorized by both sets of resources. For example, to shut down a Managed Server from the Administration Console, you must satisfy the policy on the JMX resource and the policy on the server's Server resource. See JMX Resources.

To create policies for JMX resources or modify the default policies:

  1. In the left pane of the Administration Console, select Security Realms.
  2. On the Summary of Security Realms page, select the name of the realm in which you want to modify JMX policies (for example, myrealm).
  3. On the Settings page, select the Roles and Policies tab. Then select the Policies subtab.

    The Roles and Policies: Policies page organizes all of the domain's resources and corresponding policies in a tree control.

  4. In the Policies table, in the Name column, select the JMX Policy Editor link.

    Note: The Policies table displays this link only if you have configured the realm to delegate MBean authorization. See Delegate MBean authorization to the realm.

  5. On the Select the Policy Scope page:
    • If you want a policy that applies to all instances of a WebLogic Server MBean, select the radio button next to Global Scope. Then click the Next button.
    • If you want a policy that applies only to the MBean instance that is used to manage a specific deployment or system resource:
    1. In the Scope column, expand the category name that describes the type of deployment or resource you want to secure.
    2. Select the radio button next to the deployment or resource you want to secure. Then click the Next button.
  6. On the Select the MBean Type to Which the Policy Applies page:
    • If you want a policy that applies to all instances of all MBeans in the scope that you selected on the previous page, select the radio button next to All MBean Types. Then click the Next button.
    • If you want a policy that applies only to a specific MBean instance, in the MBean Type column, expand the categories of MBeans until you find the MBean.

    Note: If you select Global Scope in Step 5 and All MBean Types in Step 6, then your policy will apply to all MBeans in the domain.

  7. If a policy already exists for an MBean attribute or operation, on the Select Read, Write, or Invoke Privileges page, the Existing Policy column displays a link named View Existing Policy Conditions. To edit the existing policy, click the link.
  8. To create a new policy, on the Select Read, Write, or Invoke Privileges page, do one of the following:
    • To control read access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Read category and select the attribute. To control read access for all non-encrypted attributes, select the radio button next to the category.
    • To control write access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Write category and select the attribute. To control write access for all non-encrypted attributes, select the radio button next to the category.
    • To control write or read access for encrypted attributes, expand the Encrypted Attributes: Permission to Read or Encrypted Attributes: Permission to Write category and select the attribute (or to control access for all such attributes, select the radio button next to the category). Granting read access for an encrypted attribute allows a client to read the encrypted version of the attribute; WebLogic Server does not unencrypt values.
    • To control access to a specific operation (applicable only if you selected a specific MBean to secure), expand the Operations: Permission to Invoke category and select the operation. To control access for all operations, select the radio button next to the category.
    • To control access to lookup operations (which enable clients to find this MBean's child MBeans) select the Lookup Operations: Permission to Invoke category or a specific lookup operation in the category.
    • Create and unregister permissions are usually ignored by the management system. These permissions determine who can use the MBean server to create or unregister an MBean. However, most WebLogic Server MBeans cannot be created or destroyed in this way. Instead, they can only be created and destroyed by invoking methods on their parent MBeans.

    Then click the Create Policy button.

  9. On the Edit JMX Policies page, click Add Conditions.
  10. On the Choose a Predicate page, in the Predicate List, select a condition.

    Oracle recommends that you use the Role condition where possible. Basing conditions on security roles enables you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.

    For more information, see Security Policy Conditions

  11. The next steps depend on the condition that you chose:
    • If you selected Role, click Next, enter the name of a security role in the argument field, and click Add. If the security role that you name does not already exist, create one by that name after you finish creating policies.
    • If you selected Group or User, click Next , enter a name in the argument field, and click Add. If the user or group that you name does not already exist, create one by that name.
    • If you selected a boolean predicate (Server is in development mode , Allow access to everyone, or Deny access to everyone), there are no arguments to enter. Click Finish and go to step 10..
    • If you selected a context predicate, such as Context element's name equals a numeric constant, click Next and enter the context name and an appropriate value. It is your responsibility to ensure that the context name and/or value exists at runtime.
    • If you selected a time-constrained predicate, such as Access occurs between specified hours, click Next and provide values for the Edit Arguments fields.
  12. Click Finish.
  13. (Optional) Create additional conditions.
  14. (Optional) The WebLogic Security Service evaluates conditions in the order they appear in the list. To change the order, select the check box next to a condition and click the Move Up or Move Down button.
  15. (Optional) Use other buttons in the Policy Conditions section to specify relationships between the conditions:
    • Select And/Or between expressions to switch the and / or statements.
    • Click Combine or Uncombine to merge or unmerge selected expressions. See Combine Conditions.
    • Click Negate to make a condition negative; for example, NOT Group Operators excludes the Operators group from the role.
  16. Click Save.

After you finish

If your policies grant access to roles, specify users and groups for your roles. See Manage security roles.


Back to Top