47 Configuring Administrative Security

To give users access to administrative functions such as creating proxy services, you assign them to one of four security roles with pre-defined access privileges. A security role is an identity that can be dynamically conferred upon a user or group based on conditions that are evaluated at runtime. You cannot change the access privileges for the Oracle Service Bus administrative security roles, but you can change the conditions under which a user or group is in one of the roles.

The following sections describe administrative security for Oracle Service Bus:

Section 47.1, "Administrative Security Roles and Privileges"
Section 47.2, "Administrative Security Groups"
Section 47.3, "Configuring Administrative Security: Main Steps"

For more information about security roles, see "Users, Groups, and Security Roles" in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.

47.1 Administrative Security Roles and Privileges

Table 47-1 describes the Oracle Service Bus administrative security roles and summarizes their access privileges.

Table 47-1 Oracle Service Bus Administrative Security Roles

Role	Pre-Defined Access Privileges
IntegrationAdmin and IntegrationDeployer	Has complete access to all Oracle Service Bus resources, including the ability to create, edit, or delete user names, passwords, and credential alias bindings in service accounts and service key providers. The user names and passwords that this role can create are used only by service accounts for outbound authentication; they are not used to authorize access to Oracle Service Bus resources. Cannot create, edit, or delete users, groups, roles, or access control policies in the Security Configuration module of the Oracle Service Bus Console.
IntegrationOperator	This group has the following privileges: Has read access to all Oracle Service Bus resources. Cannot export resources. Has access to create, view, edit and delete alert rules. Has access to session management, including create, commit, discard and undo of sessions. Cannot view all sessions. Has access to create, edit, view and delete operational settings of services.
IntegrationMonitor	Has read access to all Oracle Service Bus resources. Cannot export resources.

Role

Pre-Defined Access Privileges

IntegrationAdmin and IntegrationDeployer

Has complete access to all Oracle Service Bus resources, including the ability to create, edit, or delete user names, passwords, and credential alias bindings in service accounts and service key providers. The user names and passwords that this role can create are used only by service accounts for outbound authentication; they are not used to authorize access to Oracle Service Bus resources.

Cannot create, edit, or delete users, groups, roles, or access control policies in the Security Configuration module of the Oracle Service Bus Console.

IntegrationOperator

This group has the following privileges:

Has read access to all Oracle Service Bus resources.
Cannot export resources.
Has access to create, view, edit and delete alert rules.
Has access to session management, including create, commit, discard and undo of sessions. Cannot view all sessions.
Has access to create, edit, view and delete operational settings of services.

IntegrationMonitor

Has read access to all Oracle Service Bus resources.
Cannot export resources.

Note:

In this release, IntegrationAdministrators and IntegrationDeployers have the same privileges. This might change in future releases.

The Oracle Service Bus roles have permission to modify only Oracle Service Bus resources; they do not have permission to modify Oracle WebLogic Server or other resources on Oracle WebLogic Server. To give permission to modify Oracle WebLogic Server its other resources, add a user to one of the Oracle WebLogic Server security roles described in Table 47-2. In each Oracle Service Bus domain, make sure that you add at least one user to the Admin role.

Table 47-2 Oracle WebLogic Server Security Roles

Oracle WebLogic Server Role	Default Access Privileges
Admin	Has complete access to all Oracle WebLogic Server and Oracle Service Bus objects and functions, including the ability to create, edit, or delete users, groups, roles, or access control policies.
Deployer	Has read access to all objects. Can create, delete, edit, import or export resources, services, service key providers, or projects.
Operator	Has read and export access to all objects. Can configure alerts, enable or disable metric collection, and suspend or resume services.
Monitor	Has read access to all objects. Can export any resource, service, service key provider, or project.

47.1.1 Role-Based Access in the Oracle Service Bus Console

Table 47-3 through Table 47-8 show the actions that each Oracle Service Bus security role can perform in the Oracle Service Bus Console.

Permission to perform an action is indicated by a (Y) in the table. Only the Oracle WebLogic Server Admin role has Security Configuration privileges.

Table 47-3 Role-Based Operations Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
View Statistics	Y	Y	Y	Y
Reset Statistics	Y	Y	Y	N
View Alerts	Y	Y	Y	Y
Delete Alerts	Y	Y	Y	N
View Alert History	Y	Y	Y	Y
View Server Summary	Y	Y	Y	Y
View Dashboard Settings	Y	Y	Y	Y
Set Dashboard Settings	Y	Y	Y	Y
Set Smart Search Settings	Y	Y	Y	N
View Smart Search Settings	Y	Y	Y	Y
Set Global Settings	Y	Y	Y	N
View Global Settings	Y	Y	Y	Y
Set Tracing Settings	Y	Y	Y	N
View Tracing Settings	Y	Y	Y	N
View Message Reports	Y	Y	Y	Y
Purge Messages	Y	Y	Y	N

Table 47-4 Role-Based Resource Browser Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
Create Proxy Service	Y	Y	N	N
View Proxy Service	Y	Y	Y	Y
Edit Proxy Service	Y	Y	N	N
Delete Proxy Service	Y	Y	N	N
Create Business Service	Y	Y	N	N
View Business Service	Y	Y	Y	Y
Edit Business Service	Y	Y	N	N
Delete Business Service	Y	Y	N	N
Create WSDLs	Y	Y	N	N
View WSDLs	Y	Y	Y	Y
Edit WSDLs	Y	Y	N	N
Delete WSDLs	Y	Y	N	N
Create XML Schemas	Y	Y	N	N
View XML Schemas	Y	Y	Y	Y
Edit XML Schemas	Y	Y	N	N
Delete XML Schemas	Y	Y	N	N
Create WS-Policy	Y	Y	N	N
View WS-Policy	Y	Y	Y	Y
Edit WS-Policy	Y	Y	N	N
Delete WS-Policy	Y	Y	N	N
Create XQuery	Y	Y	N	N
View XQuery	Y	Y	Y	Y
Edit XQuery	Y	Y	N	N
Delete XQuery	Y	Y	N	N
Create XSLT	Y	Y	N	N
View XSLT	Y	Y	Y	Y
Edit XSLT	Y	Y	N	N
Delete XSLT	Y	Y	N	N
Create MFL	Y	Y	N	N
View MFL	Y	Y	Y	Y
Edit MFL	Y	Y	N	N
Delete MFL	Y	Y	N	N
Create JARs	Y	Y	N	N
View JARs	Y	Y	Y	Y
Edit JARs	Y	Y	N	N
Delete JARs	Y	Y	N	N
Create Service Account	Y	Y	N	N
View Service Account	Y	Y	Y	Y
Edit Service Account	Y	Y	N	N
Delete Service Account	Y	Y	N	N
Create service key provider	Y	Y	N	N
View service key provider	Y	Y	Y	Y
Edit service key provider	Y	Y	N	N
Delete service key provider	Y	Y	N	N
Create Alert Rule	Y	Y	Y	N
View Alert Rule	Y	Y	Y	Y
Edit Alert Rule	Y	Y	Y	N
Delete Alert Rule	Y	Y	Y	N

Table 47-5 Role-Based Project Explorer Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
Create Project	Y	Y	N	N
View Project	Y	Y	Y	Y
Edit Project	Y	Y	N	N
Delete Project	Y	Y	N	N
Create Folder	Y	Y	N	N
View Folder	Y	Y	Y	Y
Edit Folder	Y	Y	N	N
Delete Folder	Y	Y	N	N

Table 47-6 Role-Based Security Configuration Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
Create User	N	N	N	N
View User	Y	Y	Y	Y
Edit User	N	N	N	N
Delete User	N	N	N	N
Create Group	N	N	N	N
View Group	Y	Y	Y	Y
Edit Group	N	N	N	N
Delete Group	N	N	N	N
Create Role	N	N	N	N
View Role	Y	N	N	N
Edit Role	N	N	N	N
Delete Role	N	N	N	N
Create Policy	N	N	N	N
View Policy	N	N	N	N
Edit Policy	N	N	N	N
Delete Policy	N	N	N	N

Table 47-7 Role-Based System Administration Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
Import Resources	Y	Y	N	N
Export Resources	Y	Y	N	N
Create UDDI Registries	Y	Y	N	N
View UDDI Registries	Y	Y	Y	Y
Edit UDDI Registries	Y	Y	N	N
Delete UDDI Registries	Y	Y	N	N
Import from UDDI	Y	Y	N	N
Synchronize Auto-Import Status	Y	Y	Y	Y
Detach UDDI	Y	Y	N	N
Publish to UDDI	Y	Y	N	N
Auto-Publish Status	Y	Y	Y	Y
Publish Auto-Publish Status	Y	Y	N	N
Create JNDI Providers	Y	Y	N	N
View JNDI Providers	Y	Y	Y	Y
Edit JNDI Providers	Y	Y	N	N
Delete JNDI Providers	Y	Y	N	N
Create SMTP Servers	Y	Y	N	N
View SMTP Servers	Y	Y	Y	Y
Edit SMTP Servers	Y	Y	N	N
Delete SMTP Servers	Y	Y	N	N
Find Value (Customization)	Y	Y	N	N
Replace With (Customization)	Y	Y	N	N
Create File (Customization)	Y	Y	N	N
Select File (Customization)	Y	Y	N	N
Select Items (Customization)	Y	Y	N	N
Execute File (Customization)	Y	Y	N	N

Table 47-8 Role-Based Change Center Access in Oracle Service Bus Console

Actions	Integration Admin	Integration Deployer	Integration Operator	Integration Monitor
Edit Session	Y	Y	Y	N
View All Sessions	Y	Y	N	N
View Changes	Y	Y	Y	N
Activate Changes	Y	Y	Y	N
Discard Changes	Y	Y	Y	N
Exit Session	Y	Y	Y	N

47.2 Administrative Security Groups

To facilitate the process of assigning users to the pre-defined administrative roles, Oracle Service Bus also provides four corresponding security groups. While membership in a role is dynamic, membership in a group is static: an administrator places a user in a group and the user remains in the group until the administrator changes the assignment.

In the simplest scenario for configuring administrative security, you create a user, add the user to one of the four administrative groups, and the user is automatically always a member of the corresponding role with all of the pre-defined access privileges.

In a more complex scenario, you might create two of your own groups, MyAdministratorsEast and MyAdministratorsWest, and assign users appropriately. You configure the pre-defined IntegrationAdmin security role so that the MyAdministratorsWest group is in the role from 8am to 8pm EST, while the MyAdministratorsEast group is in the role from 8pm to 8am EST.

Table 47-9 describes the administrative groups that Oracle Service Bus provides. You can create your own groups in addition to these.

Table 47-9 Oracle Service Bus Groups

By Default, This Group...	Is Always in This Role...
IntegrationAdministrators	IntegrationAdmin. See Table 47-1.
IntegrationDeployers	IntegrationDeployer. See Table 47-1.
IntegrationOperators	IntegrationOperator. See Table 47-1.
IntegrationMonitors	IntegrationMonitor. See Table 47-1.

47.3 Configuring Administrative Security: Main Steps

You can create or modify users, groups, and roles when you are in or out of an Oracle Service Bus session. Any additions or modifications to this data take effect immediately and are available to all sessions. If you discard a session in which you added or modified the data, the security data is not discarded.

To configure administrative security:

Log in to the Oracle Service Bus Console with a user account that is in the Oracle WebLogic Server Admin role.
(Optional) Create your own security groups.

See "Adding Groups" in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus.
Create users and assign them to one of the Oracle Service Bus groups or one of your own groups.

See "Adding Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus.
(Optional) Modify the conditions under which users and groups are in the pre-defined Oracle Service Bus security roles.

By default, the four default groups are always in the Oracle Service Bus security roles, but you can change this default. To more easily manage your list of users, Oracle recommends that you never add users directly to a role. Instead, add users to a group and add the group to the role.

See "Adding Roles" in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus.