SOARanch

ANT script for creating Restricted Users on Oracle BPEL and ESB console for Oracle Application Server 10.1.3.3.
The default config creates two users viz. bpelReadOnly2/welcome1 and esbReadOnly2/welcome1 with Restricted Privileges.
Tested on OEL and Windows.

Steps for Creating Restricted Users
1. Set the deploy.properties to your target Application Server Instance.
2. Set the setenv.sh/setenv.bat to your target Application Server Instance.
3. Run ANT command.

Steps for Removing Restricted Users
1. Set the deploy.properties to your target Application Server Instance.
2. Set the setenv.sh/setenv.bat to your target Application Server Instance.
3. Set default task in build.xml to default="uninstall"
4. Run ANT command.

Note that the values for deploy.properties can be obtained from %OracleAS%bpel\utilities\ant-orabpel.properties.
Also make sure that you have cleared the browser cache before testing.

1. Roles are specified in Config/Config.txt.

2. The users to be created are specified in Config/usersAndRoles.xml. Users under usersWithAdmin are granted with Admin privileges for BPEL and ESB while users under
usersWithReadOnly are granted read-only privileges for BPEL and ESB Console.The attribute create in usersAndRoles.xml determines whether a user should be created
or only associated with a role.

3. The BPEL Console permissions can be controlled by changing the JSP page access in webComponents/FilterList.txt. The following are the default restrictions:
3.1. No access to Admininster BPEL domain
3.2. No access to Deploy New BPEL Processes
3.3. No access to initiate BPEL processes
3.4. No access to Clear WSDL Cache
3.5. No access to perform manual recovery
3.6. No access to refresh Alarm Table
3.7. No access to View Process Log
3.8. No access to Bulk Update
3.9. No access to Purge Instances
3.10. No access to Purge Sensor Data

The permissions available for a restricted BPEL user are:
3.11. Access Instances and Search Specific Instance IDs, or States
3.12. Access to Activities for retrying faulted instances.
3.13. Access to view BPEL Processes listing
3.14. Access to view the Dashboard.

4. The ESB Console restrictions are:
4.1. No access to routing rules
4.2. No access to create or delete System or Service Groups
4.3. No access to delete System, Service Groups or Services
4.4. No access to move services
4.5. No access to Create, Import,Export or Update DVMs.

The permissions available for a restricted ESB user are:
4.6. Access to Diagram Tab
4.7. Access to Definition Tab
4.8. Access to Properties Tab
4.9. Access to Trackable Fields

Deployment Logic:
Creating ANT scripts for read only user for BPEL and ESB consoles.
The script allows the following configurations:
1. User can define the admin and viewer roles.
2. A custom error.jsp page that the servlet filter will forward to when the filter is satisfied.

The code is an extension to Chintan Shah's code.

The logic for the same is as follows:
1. Script loads Config.txt and creates admins and viewers roles on Oracle App Server. Note that these roles have the "Grant RMI Login Permission" privilege.
First, the user is created.
Then, roles are associated with these users and created.

2. Then the script loads UsersAndRoles.xml and creates/associates usersWithAdmin users with admins role and usersWithReadOnly users with viewers role.
Creation/Association is controlled by the create="true|false" attribute.
3. The script then replaces viewers and admins tokens in Config/web.xml and Config/orion-web.xml

4. The script then copies required classes to
%OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console\WEB-INF
And Config.txt, FilterList.txt to
%OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console\WEB-INF\classes
5. Then the script copies webComponents/error.jsp to
%OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console
And Config/web.xml to
%OracleAS%\j2ee\OC4J_SOA\applications\orabpel\console\WEB-INF
And Config/orion-web.xml to
%OracleAS%\j2ee\OC4J_SOA\application-deployments\orabpel\console

This completes the BPEL ReadOnly Configuration.
For esb read only, the script performs the following tasks:
1. Copy and overwrite webComponents/controller.ServiceNavigator.js to
%soasuite%/j2ee/oc4j_soa/applications/esb-dt/esb_console/esb/commands/
2. Copy and overwrite webComponents/controller.ESBController.js to
%soasuite%/j2ee/oc4j_soa/applications/esb-dt/esb_console/esb/commands/

Finally the ANT script restarts the App Server for the imported classes to be loaded.
At each stage where ever a change in an existing file is made, a backup based on timestamp is created.

Resources:
1. http://chintanblog.blogspot.com/2007/12/i-saw-numerous-people-asking-about-bpel_290.html
2. http://download-west.oracle.com/docs/cd/B14099_19/core.1012/b13995/cmdline.htm

The zip file for the script is located here:
ReadOnlyPatch