Last week I wrote a blog about how to create WebLogic users for ServiceBus 12c. However, I did not now how to assign a particular Application Specific Role to the weblogic user, for particular ServiceBus privileges. I did find out what particular Roles there were (see the blog). But how to assign them I found out just today.

So here it is:

#
#
def grantOSBAppRoleToWlsGroup(osbAppRole, wlsGroup):
    #
    # Grant OSB AppRole
    # http://docs.oracle.com/cd/E23943_01/web.1111/e13813/custom_infra_security.htm#WLSTC1398
    # grantAppRole(appStripe, appRoleName,principalClass, principalName)
    # appStripe: Specifies an application stripe.
    # appRoleName: Specifies a role name.
    # principalClass: Specifies the fully qualified name of a class.
    # principalName: Specifies the principal name.
    #grantAppRole("Service_Bus_Console","Monitor","oracle.security.jps.service.policystore.ApplicationRole","SBMonitor")
    #grantAppRole("Service_Bus_Console","Tester","weblogic.security.principal.WLSUserImpl","weblogic")
    try:
      print('Grant OSB Role: '+osbAppRole+' to WebLogic Group: '+wlsGroup)
      grantAppRole("Service_Bus_Console",osbAppRole,"weblogic.security.principal.WLSGroupImpl",wlsGroup)
      print('Grant Succeeded')
    except:
      print('Failed to grant role '+ osbAppRole+' to '+wlsGroup+'.')
      print('Check if role not already granted.') 

Add this to the createUsers.py script in my previous article.
Then add the following call to add a role to a group:

    #
    # Grant AppRole
    grantOSBAppRoleToWlsGroup(grpOsbDevOSBAppRole, grpOsbDevName)

This needs the following property in the property file:

# Possible App Roles: MiddlewareAdministrator, Developer, Composer, Deployer, Tester, Monitor, MiddlewareOperator, ApplicationOperator, APICurator
grpOsbDevOSBAppRole=Developer

In the comments I provided the possible values that are described in the docs (see again my previous article).

A description of the grantAppRole can be found here in the 11g docs.

The possible parameters of the function are:

Argument	Definition
appStripe	Specifies an application stripe. For SB12c it is: 'Service_Bus_Console'. You can get it from the pop-list in the EM, WebLogic Domain Menu->Security->Application Roles->Application Stripes Pull Down. (See here).
appRoleName	Specifies a role name. For SB12c this is one of: MiddlewareAdministrator, Developer, Composer, Deployer, Tester, Monitor, MiddlewareOperator, ApplicationOperator, APICurator
principalClass	Specifies the fully qualified name of a class. Unclear from the docs what to use. But I found (actually on a BI-EE blog): For WebLogic users: weblogic.security.principal.WLSUserImpl For WebLogic groups: weblogic.security.principal.WLSGroupImpl Apparently for Application Roles: oracle.security.jps.service.policystore.ApplicationRole
principalName	Specifies the principal name.

With this you can enhance the createUsers script to create actual ServiceBus users. For SOASuite or other components you can get the Application Specific Roles by querying the Application Stripe in EM.