So here it is:
# # def grantOSBAppRoleToWlsGroup(osbAppRole, wlsGroup): # # Grant OSB AppRole # http://docs.oracle.com/cd/E23943_01/web.1111/e13813/custom_infra_security.htm#WLSTC1398 # grantAppRole(appStripe, appRoleName,principalClass, principalName) # appStripe: Specifies an application stripe. # appRoleName: Specifies a role name. # principalClass: Specifies the fully qualified name of a class. # principalName: Specifies the principal name. #grantAppRole("Service_Bus_Console","Monitor","oracle.security.jps.service.policystore.ApplicationRole","SBMonitor") #grantAppRole("Service_Bus_Console","Tester","weblogic.security.principal.WLSUserImpl","weblogic") try: print('Grant OSB Role: '+osbAppRole+' to WebLogic Group: '+wlsGroup) grantAppRole("Service_Bus_Console",osbAppRole,"weblogic.security.principal.WLSGroupImpl",wlsGroup) print('Grant Succeeded') except: print('Failed to grant role '+ osbAppRole+' to '+wlsGroup+'.') print('Check if role not already granted.')
Add this to the createUsers.py script in my previous article.
Then add the following call to add a role to a group:
# # Grant AppRole grantOSBAppRoleToWlsGroup(grpOsbDevOSBAppRole, grpOsbDevName)
This needs the following property in the property file:
# Possible App Roles: MiddlewareAdministrator, Developer, Composer, Deployer, Tester, Monitor, MiddlewareOperator, ApplicationOperator, APICurator grpOsbDevOSBAppRole=Developer
In the comments I provided the possible values that are described in the docs (see again my previous article).
A description of the grantAppRole can be found here in the 11g docs.
The possible parameters of the function are:
Argument
|
Definition
|
appStripe | Specifies an application stripe. For SB12c it is: 'Service_Bus_Console'. You can get it from the pop-list in the EM, WebLogic Domain Menu->Security->Application Roles->Application Stripes Pull Down. (See here). |
appRoleName | Specifies a role name. For SB12c this is one of: MiddlewareAdministrator, Developer, Composer, Deployer, Tester, Monitor, MiddlewareOperator, ApplicationOperator, APICurator |
principalClass | Specifies the fully qualified name of a class. Unclear from the docs what to use. But I found (actually on a BI-EE blog):
|
principalName | Specifies the principal name. |
With this you can enhance the createUsers script to create actual ServiceBus users. For SOASuite or other components you can get the Application Specific Roles by querying the Application Stripe in EM.
No comments:
Post a Comment