icon-arrow icon-check icon-mail icon-phone icon-facebook icon-linkedin icon-youtube icon-twitter icon-cheveron icon-download icon-instagram play close close icon-arrow-uturn icon-calendar icon-clock icon-search icon-chevron-process icon-skills icon-knowledge icon-kite icon-education icon-languages icon-tools icon-experience icon-coffee-cup
Werken bij Integration & Application Talents
Blog 14/02/2014

BPM workspace: Scripted security

Scripted Security

When implementing BPM processes, application roles can be defined, which will be created in the policy store. To enable users to work with the processes, groups are assigned to these application roles. Users are ofcourse assigned to their respective groups. Management of the BPM process application roles is available in Enterprise Manager Fusion Middleware Control or the BPM workspace.

Let’s first use Fusion Middleware Control. We need to go to the security section.

em_menu_secuirty_approles

Choose application stripe: OracleBPMProcessRolesApp. This stripe contains all BPM process roles.

em_approles

Edit the application role to add or remove principles (users,groups or other application roles).

em_edit_approle

em_add_principle

Be sure you save your changes or they are lost.

We can do the security mapping within the BPM workspace aswell. You need to have the correct permissions.

Go to the ‘administration’ in the BPM workspace.

bpm_ws_menu

Select the Application role you want to manage. Beware: do not mistake the ‘escalation path’ items for grants.

bpm_ws_details_approle

In the BPM workspace application you can grant the application role to users, groups and or other application roles.

bpm_ws_add_principle

Again, make sure you save your work.

But there is another way to apply these configuration changes. With WLST (WebLogic Scriting Tool) you can do almost anything you do in EM or the console through scripts.

Managing application roles through WLST is simple. There is a whole list of commands available to manage security (check the online command reference).

start wlst (from oracle_common, so the correct libraries are loaded). If you need help with wlst commands, just type for example help(‘listAppStripes’).

$MW_HOME/oracle_common/common/bin/wlst.sh
connect('whlogic','rocks','t3://soasuite.whitehorses.nl:7001')
help('listAppRoles')

Which application stripes (also called Application Context) do we have:

listAppStripes()
Already in Domain Runtime Tree

OracleBPMComposerRolesApp
OracleBPMProcessRolesApp
b2bui
oracle-bam#11.1.1
soa-infra

Next we want to see what application roles are present in this application stripe.

listAppRoles('OracleBPMProcessRolesApp')
Already in Domain Runtime Tree

[ [Principal Clz Name : oracle.security.jps.service.policystore.ApplicationRole, Principal Name : BPMProcessAdmin, Type : APP_ROLE], Display Name : BPM Admin Role, Description : BPM application admin role, has full privilege for performing any operations including security related, Guid : AB659440D35811E2BFA12381EAEAC78D]
[ [Principal Clz Name : oracle.security.jps.service.policystore.ApplicationRole, Principal Name : e.Administratie, Type : APP_ROLE], Display Name : Intake.Administratie, Description : null, Guid : D47186A0F45A11E28F7E0FB393B77198]

Let’s see which grants have been done.

listAppRoleMembers(appStripe='OracleBPMProcessRolesApp',appRoleName='e.Administratie')
Already in Domain Runtime Tree
[Principal Clz Name : weblogic.security.principal.WLSGroupImpl, Principal Name : Operators, Type : ENT_ROLE]
[Principal Clz Name : weblogic.security.principal.WLSGroupImpl, Principal Name : Administratief, Type : ENT_ROLE]

Now let’s grant the e.Administration application role to the Integration & Application Talents group.

grantAppRole("OracleBPMProcessRolesApp","e.Administratie","weblogic.security.principal.WLSGroupImpl","Integration & Application Talents")

Revoking is just as simple. It’s only a different fucntion.

revokeAppRole("OracleBPMProcessRolesApp","e.Administratie","weblogic.security.principal.WLSGroupImpl","Integration & Application Talents")

When clustering is involved, you need to be aware of some things. When you are using the default policy store provider, all is stored in an XML file ($WL_DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml) on the filesystem local of the AdminServer or the Weblogic server serving your session of BPM Workspace.

em_approles_policy_store_provider

If you’re working with such a configuration, you should change this to an Enterprise class configuration with for example the Oracle internet Directory (OiD) or a database based provider.

 

References

Oracle® Fusion Middleware Application Security Guide – Configuring the OPSS Security Store
Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference

Overzicht blogs

Geen reacties

Geef jouw mening

Reactie plaatsen

Reactie toevoegen

Jouw e-mailadres wordt niet openbaar gemaakt.

Geen HTML

  • Geen HTML toegestaan.
  • Regels en alinea's worden automatisch gesplitst.
  • Web- en e-mailadressen worden automatisch naar links omgezet.

Wil je deel uitmaken van een groep gedreven en ambitieuze experts? Stuur ons jouw cv!