BPEL PM allows you to have a fine grained user access at domain level. That means that if you want to restrict a user to a domain (or set of domains) then you should be able to perform this task by following these simple steps.
I am assuming that we have a domain called “development” and we want to have users (e.g. “devuser”) with only “devrole” privilege to have access to this domain.
To achieve this we need to perform two task, first create user, role at application server and then update security realm using enterprise manager console.
To simplify this, i have scripted first half of the task. It basically creates role “devrole”, assigned domain permissions to “devrole”, create user “devuser” and grant role “devrole” to this user.
set OH=C:\oracle\ora10g\soasuite
set JH=%OH%/jdk
set ADMIN_USER=oc4jadmin
set ADMIN_PWD=oc4jadmin
set ROLE_NAME=devrole
set USER_NAME=devuser
set USER_PWD=welcome1
set DOMAIN_NAME=development
%JH%/bin/java -Xbootclasspath/a:%OH%/bpel/lib/orabpel-boot.jar -jar %OH%/j2ee/home/jazn.jar -user %ADMIN_USER% -password %ADMIN_PWD% -addrole jazn.com %ROLE_NAME%
%JH%/bin/java -Xbootclasspath/a:%OH%/bpel/lib/orabpel-boot.jar -jar %OH%/j2ee/home/jazn.jar -user %ADMIN_USER% -password %ADMIN_PWD% -grantperm jazn.com -role %ROLE_NAME% com.collaxa.security.DomainPermission %DOMAIN_NAME% all
%JH%/bin/java -Xbootclasspath/a:%OH%/bpel/lib/orabpel-boot.jar -jar %OH%/j2ee/home/jazn.jar -user %ADMIN_USER% -password %ADMIN_PWD% -listperms jazn.com -role %ROLE_NAME%
%JH%/bin/java -Xbootclasspath/a:%OH%/bpel/lib/orabpel-boot.jar -jar %OH%/j2ee/home/jazn.jar -user %ADMIN_USER% -password %ADMIN_PWD% -adduser jazn.com %USER_NAME% %USER_PWD%
%JH%/bin/java -Xbootclasspath/a:%OH%/bpel/lib/orabpel-boot.jar -jar %OH%/j2ee/home/jazn.jar -user %ADMIN_USER% -password %ADMIN_PWD% -grantrole %ROLE_NAME% jazn.com %USER_NAME%
Second half task is little bit manual, i would try to script it but for the time being lets do it from EM console.
- Logon to the application server control console, and from the cluster topology, expand the BPEL container. Scroll down and click on orabpel.
- Navigate to Administration -> Security Provider -> Realms
- Click on the number under Roles. Click on Create and add the name you’ve given your new role (e.g. devrole) and check “Grant RMI Login Permission”. Click Apply.
- Go back to the Security Provider page, and click on the number under Users.
- Click create and enter the name of your user and the password In our example, the user name would be “devuser” and the password “welcome1”.
- Assign this user the new role “devrole” and Click OK.
- Now, open the system-jazn-data.xml file in directory ORACLE_HOME/j2ee/oc4j_soa/config for edit.
- In a section titled <jazn-realm> and under that a section labeled <users>. Scroll down and verify that the user you’ve just created on the application server console is listed there.
- In a section labeled <roles>. Verify that the role you’ve just created is listed there and that your user is listed as a member of this group. (Group and role are synonymous in BPEL.)
- Scroll down further to the section labeled . Look for the permissions granted to your new role; you will see something like
- We will need to add the domain permission here. So, add the following text replacing domain name with our domain name “development”.
<permission>
<class>com.collaxa.security.DomainPermission</class>
<name>DOMAIN_NAME</name>
<actions>all</actions>
</permission>
- Restart the server
- Try to login as “devuser”. You will see that the console comes up in the domain specified for this user. In the drop down list at the top, the user will be able to see any other domains but will be unable to access them.
