Users, Groups, Roles and Policies

Myst supports automating the security configuration of the following:

  • Creating LDAP users and groups.
  • Assigning role conditions.
  • Assigning users to groups and roles.
  • Creating, updating, and deleting credentials maps.
  • Creating security policies on JMS modules.

The users, roles, groups, credentials maps, and the security policies must be defined as Global Variables within the Platform Blueprint (or if desired, the Platform Model) using the properties below.

User definitions

Property name Description
add.users A comma-separated list of user names to be created.
USERNAME.password Password for the user name.
USERNAME.description Description for the user name.
USERNAME.group Comma-separated list of groups to which you want to add the user name.
remove.users Comma-separated list of users you want to remove

Example User definitions

add.users=asmith,jstein
asmith.password=welcome1
asmith.group=Administrators
jstein.password=welcome1

Group definitions

Property name Description
add.groups Comma-separated list of groups you want to create.
remove.groups Comma-separated list of groups you want to remove.

Example Group definitions

add.groups=Group1,Group2

Application Role definitions

Property name Description
add.app_roles Comma-separated list of application role IDs that you want to create.
APP_ROLE_ID.app_stripe The name of the application stripe for a given application role id.
APP_ROLE_ID.app_role_name The name of the application role for a given application role id.
grant.app_roles Comma-separated list of application role grant IDs to be created
GRANT_APP_ROLE_ID.app_stripe The name of the application stripe where the role exists.
GRANT_APP_ROLE_ID.app_role_name The name of the application role to be granted for the principal.
GRANT_APP_ROLE_ID.principal_type The type of the principal, either "user" or "group" or "role".
GRANT_APP_ROLE_ID.principal_name The name of the principal to be granted the role
role.expressions A comma-separated list of WebLogic roles to be have their role conditions updated.
role.expression.ROLE The role expression for the given role.

Example Role definitions

add.app_roles=customArchitectRole,
customDeveloperRole

customArchitectRole.app_stripe=soa-infra
customArchitectRole.app_role_name=customArchitectRole

customDeveloperRole.app_stripe=soa-infra
customDeveloperRole.app_role_name=customArchitectRole

grant.app_roles=report-architect-jstein,report-architect-Group1

report-architect-jstein.app_stripe=oracle-bam#11.1.1
report-architect-jstein.app_role_name=Report Architect
report-architect-jstein.principal_type=user
report-architect-jstein.principal_name=jstein

report-architect-Group1.app_stripe=oracle-bam#11.1.1
report-architect-Group1.app_role_name=Report Architect
report-architect-Group1.principal_type=group
report-architect-Group1.principal_name=Group1

role.expressions=Admin,IntegrationAdmin
role.expression.Admin=Grp(Administrators)|Usr(jstein)
role.expression.IntegrationAdmin=
Grp(IntegrationAdministrators)|Grp(Group1)

Credentials Map definitions

Property name Description
credential.maps Comma-separated list of credential map IDs.
credential.map.CREDENTIAL_MAP_ID.keys Comma-separated list of credential map keys.
credential.map.CREDENTIAL_MAP_ID.KEY.username The user name for the credential map key.
credential.map.CREDENTIAL_MAP_ID.KEY.password The password for the credential map key.
credential.map.CREDENTIAL_MAP_ID.KEY.description The description for the credential map key.
credential.map.CREDENTIAL_MAP_ID.KEY.present Specify whether the credential map key should be present or not. If set to false the credential map key is deleted. The default value is set to true.
credential.map.CREDENTIAL_MAP_ID.KEY.update-if-exists Specify whether the credential map key should be updated if it already exists. The default value is false, which means that if the credential map key already exists it will not be updated.

Example Credential Map

credential.maps=oracle.wsm.security
credential.map.oracle.wsm.security.keys=owsm-key
credential.map.oracle.wsm.security.owsm-key.username=DeploymentAdmin_ES
credential.map.oracle.wsm.security.owsm-key.password=welcome1
credential.map.oracle.wsm.security.owsm-key.description=Deployment Administrator

JMS Security Policy definitions

Example JMS Security policy

Security policies with a user.

add.policies=module1
module1.type=jms
module1.application=MyJMSModule
module1.credential.type=user
module1.credential.value=jsmith

Example JMS Resource Security policy with a method

Security policies for resources with a group and a method.

add.policies=module1
module1.type=jms
module1.application=MyJMSModule
module1.credential.type=user
module1.credential.value=jsmith

Example JMS Security policy with conditions with custom expression

Need to add both users and groups? Use a custom expression for users+groups and a method.

add.policies=module1
module1.application=MyJMSModule
module1.type=jms
module1.destinationtype=topic
module1.action=send
module1.resource=mytopic
module1.credential.type=expression
module1.credential.value=Usr(weblogic)|Usr(jawed)|Grp(${var.devops})|Grp(${var.awesome})

results matching ""

    No results matching ""