Developers are a demanding bunch, always wanting access! We describe in this final section of the chapter how to create read-only accounts that developers can use to log in to the various consoles as well have read-only access to the MDS. It is always recommended not to share the weblogic password with developers.
In this section, we also describe how to configure custom XPath functions.
The Monitors group provides read-only access to Oracle Fusion Middleware Enterprise Manager Control, while the Deployers group grants the ability to deploy applications to the SOA server.
From time to time, administrators of Oracle SOA Suite 12c infrastructure are required to provide limited and role based access to developers and extended team members. For instance, administrators may be tasked with providing a group of users and developers access to view service status and health, composite instances, and audit trails. In other cases, the requirement may be to grant operators access to manage composite lifecycles. Fortunately, Enterprise Manager provides functionality to provide different levels of access to different users and groups access without allowing them to change any infrastructure settings. The following steps detail how administrators can provide role-based access to the SOA infrastructure:
- Log in to WebLogic Server Administration Console.
- The ideal way to manage access here is to create WebLogic groups, manage their membership by associating actual LDAP-based users and groups, and finally grant permissions to them.
- Navigate to Your Application's Security Settings | Security Realms | myrealm | Users and Groups | Groups and create a two new groups: SOAAuditViewer and SOAOperator.
- Click on one of these groups and then go to the Membership tab. This allows other groups (organizational) to be added to this logical group.
- Alternatively, individual users can have their membership modified to be associated with these groups.
- Next, log in to Oracle Enterprise Manager Fusion Middleware Control and navigate to Weblogic Domain | [domain_name] | Weblogic Domain | Security | Application Roles.
- Select soa-infra from under the Application Stripe dropdown and click on the search button to search for existing application roles.
- The following table provides a list of predefined application roles in the Oracle Fusion Middleware Infrastructure and their associated permissions.
Role
Permission
SOAAdminThis has full access, including the ability to modify security settings.
SOAOperatorThis has access to deploy/undeploy, start/stop, and activate/retire composites.
SOAMonitorThis has read-only access to Oracle EM FMW Console.
SOAAuditViewerThis has access to view instance and audit trails.
SOAAuditAdminThis has access to modify audit levels.
Refer to the earlier section Mapping Users and Groups to Application Roles in this chapter for guidance on how to associate WebLogic users and groups to Fusion Middleware application roles.
Developers will require a database account to access the MDS during their development as it is necessary for them to create a database connection in JDeveloper 12c to the [PREFIX]_MDS schema in order to access MDS artifacts. Shared objects that are maintained in the MDS, such as DVMs, schemas, and WSDLs, need to be accessible to the developer during the development cycle. The last thing administrators want is to share the [PREFIX]_MDS schema password.
Follow these instructions to create a generic MDS_MDS_READONLY database account that can be shared with developers. The following instructions assume that the schema name for the MDS is DEV_MDS:
- Log in to the database with a user account with
SYSDBAprivileges:SQLPLUS "/ AS SYSDBA"
- Create the database user
DEV_MDS_READONLYand grant access:CREATE USER DEV_MDS_READONLY IDENTIFIED BY WELCOME1; GRANT RESOURCE, CONNECT TO DEV_MDS_READONLY;
- Execute the following commands to grant select access to the product tables to the
DEV_MDS_READONLYuser:GRANT SELECT ON DEV_MDS.MDS_PARTITIONS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_LABELS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_TXN_LOCKS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_TRANSACTIONS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_DEPL_LINEAGES TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_PATHS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_STREAMED_DOCS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_NAMESPACES TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_COMPONENTS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_ATTRIBUTES TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_DEPENDENCIES TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_PURGE_PATHS TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_LARGE_ATTRIBUTES TO DEV_MDS_READONLY; GRANT SELECT ON DEV_MDS.MDS_SANDBOXES TO DEV_MDS_READONLY;
- Create the appropriate synonyms for the database tables:
CREATE SYNONYM DEV_MDS_READONLY.MDS_PARTITIONS FOR DEV_MDS.MDS_PARTITIONS; CREATE SYNONYM DEV_MDS_READONLY.MDS_LABELS FOR DEV_MDS.MDS_LABELS; CREATE SYNONYM DEV_MDS_READONLY.MDS_TXN_LOCKS FOR DEV_MDS.MDS_TXN_LOCKS; CREATE SYNONYM DEV_MDS_READONLY.MDS_TRANSACTIONS FOR DEV_MDS.MDS_TRANSACTIONS; CREATE SYNONYM DEV_MDS_READONLY.MDS_DEPL_LINEAGES FOR DEV_MDS.MDS_DEPL_LINEAGES; CREATE SYNONYM DEV_MDS_READONLY.MDS_PATHS FOR DEV_MDS.MDS_PATHS; CREATE SYNONYM DEV_MDS_READONLY.MDS_STREAMED_DOCS FOR DEV_MDS.MDS_STREAMED_DOCS; CREATE SYNONYM DEV_MDS_READONLY.MDS_NAMESPACES FOR DEV_MDS.MDS_NAMESPACES; CREATE SYNONYM DEV_MDS_READONLY.MDS_COMPONENTS FOR DEV_MDS.MDS_COMPONENTS; CREATE SYNONYM DEV_MDS_READONLY.MDS_ATTRIBUTES FOR DEV_MDS.MDS_ATTRIBUTES; CREATE SYNONYM DEV_MDS_READONLY.MDS_DEPENDENCIES FOR DEV_MDS.MDS_DEPENDENCIES; CREATE SYNONYM DEV_MDS_READONLY.MDS_PURGE_PATHS FOR DEV_MDS.MDS_PURGE_PATHS; CREATE SYNONYM DEV_MDS_READONLY.MDS_LARGE_ATTRIBUTES FOR DEV_MDS.MDS_LARGE_ATTRIBUTES; CREATE SYNONYM DEV_MDS_READONLY.MDS_SANDBOXES FOR DEV_MDS.MDS_SANDBOXES;
- Create the appropriate synonyms for the database packages:
CREATE SYNONYM DEV_MDS_READONLY.MDS_INTERNAL_COMMON FOR DEV_MDS.MDS_INTERNAL_COMMON; CREATE SYNONYM DEV_MDS_READONLY.MDS_INTERNAL_SHREDDED FOR DEV_MDS.MDS_INTERNAL_SHREDDED; CREATE SYNONYM DEV_MDS_READONLY.MDS_INTERNAL_UTILS FOR DEV_MDS.MDS_INTERNAL_UTILS;
- Grant execute permissions to the packages:
GRANT EXECUTE ON DEV_MDS.MDS_INTERNAL_COMMON TO DEV_MDS_READONLY; GRANT EXECUTE ON DEV_MDS.MDS_INTERNAL_SHREDDED TO DEV_MDS_READONLY; GRANT EXECUTE ON DEV_MDS.MDS_INTERNAL_UTILS TO DEV_MDS_READONLY;
Note that the same permission setting can be created for the [PREFIX]_SOAINFRA schema.
Developers tend to use a multitude of custom function libraries as they develop their SOA composites. These functions are mostly used within transformation files (that is, XSL and XQuery maps) or assignment activities. These functions can be used at design time in the composite editor by importing the library as User Defined Extension Jar files.
At runtime, however, administrators have to ensure that these libraries are appropriately placed to be part of the server runtime. Although describing how to create custom XPath functions is out of scope for this book, their deployment is not.
To deploy a custom XPath function to the Oracle SOA Suite 12c infrastructure, follow these steps:
- Get a copy of the JAR file with the custom XPath functions (for example,
customXPathFunctions.jar). - Copy the file to the location where all external function libraries are to be copied (that is,
$MW_HOME/soa/soa/modules/oracle.soa.ext_11.1.1). - Restart the SOA managed server.
Now, any composite deployed to the server and requiring the use of these custom XPath functions will have access to them at runtime.