WebLogic Server has the ability to establish a set of users, groups, and global roles as part of the WebLogic domain creation. The WebLogic global roles become part of the WebLogic role mapper (for example, XACMLRoleMapper) and are specified under domainInfo in the WLSRoles section. The users and groups become part of the Embedded LDAP server (for example, DefaultAuthenticator) and are specified under topology in the Security section.
The model allows for the definition of WebLogic roles that can augment the well known WebLogic global roles (for example, Admin, Deployer, Monitor, …) in addition to defining new roles. When updating the well known WebLogic roles, an UpdateMode can be specified as { append | prepend | replace } with the default being replace when not specified. Also, when updating the well known roles, the specified Expression will be a logical OR with the default expression. The Expression value for the role is the same as when using the WebLogic RoleEditorMBean for a WebLogic security role mapping provider.
For example, the WLSRoles section below updates the well known Admin, Deployer and Monitor roles while adding a new global role with Tester as the role name:
domainInfo:
WLSRoles:
Admin:
UpdateMode: append
Expression: "?weblogic.entitlement.rules.IDCSAppRoleName(AppAdmin,@@PROP:AppName@@)"
Deployer:
UpdateMode: replace
Expression: "?weblogic.entitlement.rules.AdministrativeGroup(@@PROP:Deployers@@)"
Monitor:
UpdateMode: prepend
Expression: "?weblogic.entitlement.rules.AdministrativeGroup(AppMonitors)"
Tester:
Expression: "?weblogic.entitlement.rules.IDCSAppRoleName(AppTester,@@PROP:AppName@@)"
The Admin role will have the expression appended to the default expression, the Deployer role expression will replace the default, the Monitor role expression will be prepended to the default expression and Tester will be a new role with the specified expression.
In addition, the Expression value can use the variable placeholder syntax specified when running the Create Tool as shown in the above example.
The model allows for the definition of a set of users and groups that will be loaded into the WebLogic Embedded LDAP Server (for example, DefaultAuthenticator). New groups can be specified and users can be added as members of the new groups or existing groups such as the Administrators group which is defaulted to be in the WebLogic Admin global role. Please see Known Limitations below for additional information on users and groups.
The user password can be specified with a placeholder or encrypted with the Encrypt Tool. An example Security section that adds an additional group AppMonitors, adds two new users and places the users into groups is as follows:
You can add user attributes that are defined for the DefaultAuthenticator. This is a limited set of attributes that go under a separate folder UserAttribute in the model under the User section.
topology:
Security:
Group:
AppMonitors:
Description: Application Monitors
User:
john:
Password: welcome1
GroupMemberOf: [ AppMonitors, Administrators ]
joe:
Password: welcome1
GroupMemberOf: [ AppMonitors ]
UserAttribute:
mail: joe@mycompany.com
XACMLRoleMapper).Security section are automatically added to the Administrators group and are not added to the groups specified. For information about a patch for this issue, see Known issues.