If you already have created an Administrator (user) you will see that it is possible to set access and privileges to both users and roles. I would recommend to use roles to make maintenance and access provisioning easier over time. Let's start out by creating a new role:
Another tip is to fill out the Description field because describing the intention of the role here will later save you for a lot of clicking to see what this role is actually doing.
Next, don't select any of the existing roles, we will create a new one that is not an aggregate of other Roles.
Step 3 is where the magic is going to happen.
The list that you see on the Target Privileges page are general privileges applicable to all targets. Generic access for all managed targets in Enterprise Manager is set here. If you want to modify any generic settings, then do that with a separate generic role.
Unselect [View any Target] and Scroll down to the bottom and press [Add]
A new pop-up window will appear with the possibility to select target types.
In this case let us select [Group] and then select, or filter, on your WebLogic Group.
(PS: You need to already have created the WebLogic Group for it to show up in the list)
The pop-up window will now close and your group is available for detail settings of privileges. Note that default Target Privilege is View access only.
Press the pencil button, and you will be able to specify the privileges that the MWADMIN role should have on all WebLogic servers in the WeblogicServer Group.
Since we are creating the MWADMIN role, select [Group Administration] and [Full]. This will give full access to both the Group and Middleware targets as Administrator.
Press [Continue] and then [Next]
Enterprise Manager resources and operations specific to the MWADMIN role is done through [Resource Privileges]. For target specific roles, newer change these settings. If you want to limit or change access, do it in a separate EM role instead and try to keep your Role's simple. As seen in the first step, a user can have several roles and a role can inherit privileges from other roles.
Next step gives the possibility to specify which users should have the privileges of our newly created role. Set it in this view, or instead afterwards go into specific users and add the new role.
We are now at the final review stage of the process.
Press [Finish] and we have successfully created a new Role.
If you apply the MWADMIN role as the only role to a user, this user will only have access to the WebLogic servers in Enterprise Manager. All other targets such as database listeners etc. will be hidden and not even visible in the summary page.
If you want to give your DBA´s read access to your WebLogic group, create a new role called DBADMIN, and just give the role [View] privilieges to your WeblogicServers group. This way you know that your WebLogic servers are safe.
With the right priveleges set, it is good practice to create developer roles to view status and even be able to download log files from your production environments. All without security risk.
No comments:
Post a Comment