Authorization Model in SOA Suite 11g by Shawn Bailey
By JuergenKress on Apr 19, 2013
Figuring out how the authorization works in SOA Suite 11g between the
WebLogic Console and Enterprise Manager can seem daunting. This blog
post aims to clarify how the two parts work together and hopefully
demonstrates that it is not as complicated as it may first appear.
In SOA Suite 11g there is one Authentication stack and 2 Authorization stacks:
- Authentication is handled by WebLogic Server and is based on the order and control flags set for the Authentication Providers in the Security Realm.
- Authorization is split between the Global Role definitions in WebLogic Server and the SOA Application Roles in Fusion Middleware Control (EM). WLS Roles govern the interactions in the WLS Console while the SOA Roles control permissions on SOA resources / activities. In most cases the users will need access to both.
Let's describe the authorization stacks independently:
In WLS there are Global Roles defined out of the box that apply to the WebLogic Console. For our purposes we will focus on the 'Admin' Global Role as it has a counterpart in EM and is representative of the other roles as well. In the standard domain this role has a single membership condition which is for the pre-configured Group 'Administrators'. This means that any user who is a member of a group called 'Administrators' will be granted the permissions of the 'Admin' Global Role in WLS. This is important because in order for a user to login to the WLS or EM consoles they must have permissions for at least one of the WLS Global Roles, either through a Group or individual association. Read the full article here.
For regular information on Oracle SOA Suite become a member in the SOA & BPM Partner Community for registration please visit www.oracle.com/goto/emea/soa (OPN account required) If you need support with your account please contact the Oracle Partner Business Center.