|
|
To give users access to administrative functions such as creating proxy services, you assign them to one of four security roles with pre-defined access privileges. A security role is an identity that can be dynamically conferred upon a user or group based on conditions that are evaluated at runtime. You cannot change the access privileges for the Oracle Service Bus administrative security roles, but you can change the conditions under which a user or group is in one of the roles.
The following sections describe administrative security for Oracle Service Bus:
For more information about security roles, see Users, Groups, and Security Roles, in Securing WebLogic Resources.
Table 9-1 describes the Oracle Service Bus administrative security roles and summarizes their access privileges.
| Note: | In this release, IntegrationAdministrators and IntegrationDeployers have the same privileges. This might change in future releases. |
The Oracle Service Bus roles have permission to modify only Oracle Service Bus resources; they do not have permission to modify WebLogic Server or other resources on WebLogic Server. To give permission to modify WebLogic Server its other resources, add a user to one of the WebLogic Server security roles described in Table 9-2. In each Oracle Service Bus domain, make sure that you add at least one user to the Admin role.
Table 9-3 shows the actions that each Oracle Service Bus security role can perform in the Oracle Service Bus Console.
Permission to perform an action is indicated by a check mark (
) in the table. Note that there are no check marks in the Security Configuration section of this table because only the WebLogic Server Admin role has access to these functions.
To facilitate the process of assigning users to the pre-defined administrative roles, Oracle Service Bus also provides four corresponding security groups. While membership in a role is dynamic, membership in a group is static: an administrator places a user in a group and the user remains in the group until the administrator changes the assignment.
In the simplest scenario for configuring administrative security, you create a user, add the user to one of the four administrative groups, and the user is automatically always a member of the corresponding role with all of the pre-defined access privileges.
In a more complex scenario, you might create two of your own groups, MyAdministratorsEast and MyAdministratorsWest, and assign users appropriately. You configure the pre-defined IntegrationAdmin security role so that the MyAdministratorsWest group is in the role from 8am to 8pm EST, while the MyAdministratorsEast group is in the role from 8pm to 8am EST.
Table 9-4 describes the administrative groups that Oracle Service Bus provides. You can create your own groups in addition to these.
IntegrationAdmin. See IntegrationAdmin and IntegrationDeployer.
|
|
IntegrationDeployer. See IntegrationAdmin and IntegrationDeployer.
|
|
IntegrationOperator. See IntegrationOperator.
|
|
IntegrationMonitor. See IntegrationMonitor.
|
You can create or modify users, groups, and roles when you are in or out of an Oracle Service Bus session. Any additions or modifications to this data take effect immediately and are available to all sessions. If you discard a session in which you added or modified the data, the security data is not discarded.
To configure administrative security:
See “Adding a Group” under Security Configuration in the Using the Oracle Service Bus Console.
See “Adding a User” under Security Configuration in the Using the Oracle Service Bus Console.
By default, the four default groups are always in the Oracle Service Bus security roles, but you can change this default. To more easily manage your list of users, Oracle recommends that you never add users directly to a role. Instead, add users to a group and add the group to the role.
See “Adding a Role” under Security Configuration in the Using the Oracle Service Bus Console.
|