Restricted View is Not So Bad!
You are going on vacation and have booked a hotel with beautiful views, but when you arrive you discover that your room can only see the beautiful beach if you crane your neck out of the window and look at an angle. That is pretty frustrating for a vacation but often that is exactly what we want to achieve with SOA Suite. For example we may want the finance department composites to not be visible to the HR department and vice-versa.
You often want to restrict the visibility of composites, for example keeping departments separated from each other. This separation of concerns is a hallmark of good governance and many SOA Suite customers have this requirement, controlling who can see which composites.
In 11g the only fully supported way to do this was to run a separate domain for each department, and many customers did this. Alternatively other customers created a custom admin application that enforced departmental segmentation on a single domain. The first solution is heavy on machine resources and administrative overhead, the second requires custom coding and adds a maintenance overhead.
12.1.3 to the Rescue
In 12.1.3 the partitions support custom application roles that grant access only to the given partition. Users granted the role on the Finance partition will be able to see only information related to that partition, other partitions will not be visible to them. This allows the Finance and HR departments to share the same domain but still not be able to see each others composites. This is documented in section 7.3 Securing Access to Partitions of the document Oracle® Fusion Middleware Administering Oracle SOA Suite and Oracle Business Process Management Suite.
Making it Work
The following steps enable you to set up partition level access.
1. Create a Partition
From the EM console right click soa-infra and select manage partitions. This will take you to the partition management page.
From here click the Create button to bring up the Create New SOA Partition dialog which will allow you to choose a name for the partition (which cannot be changed) and a work manager to associate with the partition.
Using EM or WebLogic consoles create a new user such as FinanceMonitor that will have restricted access to the domain. This user should be assigned to the Monitor group.
3. Grant Role to User
Using the EM console right click soa-infra and select Security->Application Roles. This will take you to the Application Roles page.
From this page scroll down to find the role you want to assign and then click edit which will take you to the Edit Application Role page.
Here you can click Add to add a user, group or another role to this role.
Your user now has restricted access to the domain, being limited to his role on the given partition.
4. Test Access
We can test that the access is working as expected by logging on to the EM console as our new restricted partition user.
Note that our new user can only see the partition to which he has been assigned a role.
There are several roles available, each partition has the same set of roles prefixed with the partition name. The following roles are available and described in Table 7-2 Partition Roles.
So the HR partition would have the roles HR_Composer, HR_Deployer etc.
Note that these roles are each quite restrictive. For example our FinanceMonitor user cannot use the Test button because he lacks the Finance_Tester role. A Finance_Tester cannot see the flow trace. To enable our FinanceMonitor to run tests we would have to grant him the Finance_Tester role as well.
As an alternative to assigning multiple roles to a user or group you could create a role and grant it the multiple roles you required.
If you see a blank screen when logging in it is likely that you forgot to assign the monitor role to your user.
The partitions in SOA Suite 12.1.3 are much more useful than those in 11g and allow separation of roles to control visibility and functionality available to EM users. This is very easy to set up and manage.