WebLogic Server has the ability to establish a set of users, groups, and global roles as part of the WebLogic domain creation. The WebLogic global roles become part of the WebLogic role mapper (for example, XACMLRoleMapper
) and are specified under domainInfo
in the WLSRoles
section. The users and groups become part of the Embedded LDAP server (for example, DefaultAuthenticator
) and are specified under topology
in the Security
section.
The model allows for the definition of WebLogic roles that can augment the well known WebLogic global roles (for example, Admin
, Deployer
, Monitor
, …) in addition to defining new roles. When updating the well known WebLogic roles, an UpdateMode
can be specified as { append | prepend | replace }
with the default being replace
when not specified. Also, when updating the well known roles, the specified Expression
will be a logical OR
with the default expression. The Expression
value for the role is the same as when using the WebLogic RoleEditorMBean
for a WebLogic security role mapping provider.
For example, the WLSRoles
section below updates the well known Admin
, Deployer
and Monitor
roles while adding a new global role with Tester
as the role name:
domainInfo:
WLSRoles:
Admin:
UpdateMode: append
Expression: "?weblogic.entitlement.rules.IDCSAppRoleName(AppAdmin,@@PROP:AppName@@)"
Deployer:
UpdateMode: replace
Expression: "?weblogic.entitlement.rules.AdministrativeGroup(@@PROP:Deployers@@)"
Monitor:
UpdateMode: prepend
Expression: "?weblogic.entitlement.rules.AdministrativeGroup(AppMonitors)"
Tester:
Expression: "?weblogic.entitlement.rules.IDCSAppRoleName(AppTester,@@PROP:AppName@@)"
The Admin
role will have the expression appended to the default expression, the Deployer
role expression will replace the default, the Monitor
role expression will be prepended to the default expression and Tester
will be a new role with the specified expression.
In addition, the Expression
value can use the variable placeholder syntax specified when running the Create Tool as shown in the above example.
The model allows for the definition of a set of users and groups that will be loaded into the WebLogic Embedded LDAP Server (for example, DefaultAuthenticator
). New groups can be specified and users can be added as members of the new groups or existing groups such as the Administrators
group which is defaulted to be in the WebLogic Admin
global role. Please see Known Limitations below for additional information on users and groups.
The user password can be specified with a placeholder or encrypted with the Encrypt Tool. An example Security
section that adds an additional group AppMonitors
, adds two new users and places the users into groups is as follows:
You can add user attributes that are defined for the DefaultAuthenticator. This is a limited set of attributes that go under a separate folder UserAttribute
in the model under the User
section.
topology:
Security:
Group:
AppMonitors:
Description: Application Monitors
User:
john:
Password: welcome1
GroupMemberOf: [ AppMonitors, Administrators ]
joe:
Password: welcome1
GroupMemberOf: [ AppMonitors ]
UserAttribute:
mail: joe@mycompany.com
XACMLRoleMapper
).Security
section are automatically added to the Administrators
group and are not added to the groups specified. For information about a patch for this issue, see Known issues.