Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
how to integrate/map the roles of Oracle BPM into Oracle IDM (Identity Management). First, you have to understand some concepts. As the official documentation says, Oracle Fusion Middleware allows using different types of credential and policy stores in a WebLogic domain. Domains can use stores based on an XML file or on different types of LDAP providers. When a domain uses an LDAP store, all policy and credential data is kept and maintained in a centralized store. However, when using XML policy stores, the changes made on Managed Servers are not propagated to the Administration Server unless they use the SAME domain home. By default Oracle WebLogic Server domains use an XML file for the policy store. The following sections describe the steps required to change the default store to Oracle Internet Directory LDAP for credentials or policies. More information on the official documentation: http://download.oracle.com/docs/cd/E17904_01/core.1111/e12036/oam.htm#B ABFGBED Before creating the LDAP Authenticator, first make a backup of this following files:
ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/config/config.xml ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/config/fmwconfig/j ps-config.xml ORACLE_BASE/admin/<domain_name>/aserver/<domain_name>/config/fmwconfig/s ystem-jazn-data.xml
Backup the boot.properties too. Log into Weblogic Console and go to Security Realm/myrealm
Go to Providers tab.
Enter a name for your new provider, for example OIDAuthenticator or OIDAuth.
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT) It will appear on the provider screen.
Click on the newly created provider and set the control flag to SUFFICIENT.
Go to Provider Specific tab to enter the details for the LDAP server.
Click SAVE to Activate the Changes. Now we have to re-order the Providers. Go to Security Realms/myrealm/Providers TAB And REORDER the provider as shown in the screen above:
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT) Now, RESTART the Administration Server and the Managed Servers of your SOA environment. Go to Security Realms/myrealm/Roles and Policies TAB.
You will see a list of Global Roles displayed on the screen. On the column Role Policy of Admin role, click on View Role Conditions.
In this screen you will associate one condition for this Admin role. For example, in your LDAP you have a group called SOAAdministrators and an user assigned to this group. Every user that is assigned to this group will be an Administrator of my soa_domain. Now, I will create a Role Condition: Click ADD CONDITIONS
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT) On GROUP ARGUMENT NAME put the name of your SOAAdministrator group and click ADD.
After that, click FINISH. You will see the newly group added to the Admin Role Conditions
If youre having trouble with this part, I suggest you to create the SOAAdministrator group and the User assigned to this group through and ldif file. Ive faced some problems when doing this group and user creation through ODSM (Oracle Directory Services Manager). To create this group and the user just create 2 (TWO) ldif files: Admin_group.ldif which contains the following: dn: cn=SOAAdministrators, cn=Groups, dc=andrealmar, dc=com (obviously fill this with your correspondent DC configuration) displayname: SOAAdministrators objectclass: top objectclass: groupOfUniqueNames objectclass: orclGroup uniquemember: cn=weblogic_soa,cn=users, dc=andrealmar, dc=com (obviously fill this with your correspondent DC configuration) cn: SOAAdministrators description: Administrators Group for the SOA Domain
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT) admin_user.ldif which contains the following: dn: cn=weblogic_soa, cn=Users, dc=andrealmar,dc=com orclsamaccountname: weblogic_soa givenname: weblogic_soa sn: weblogic_soa userpassword: welcome1 mail: weblogic_soa objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetorgperson objectclass: orcluser objectclass: orcluserV2 objectclass: inetorgperson uid: weblogic_soa cn: weblogic_soa description: Admin User for the SOA Domain So import this 2 Ldif files via LDAP Browser. Ive used the GAWOR LDAP BROWSER. User shown on GAWOR LDAP BROWSER Group shown on GAWOR LDAP BROWSER
To see if the configuration works, logout and try to login with the newly user weblogic_soa which is now an Administrator of soa_domain.
MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT) Go to Security / Application Roles
Click on All your BPM roles will appear, my application doesnt have any application deployed so the only role that appears is BPMProcessAdmin.
To assign an OID (Oracle Internet Directory) user to this role just click on the role name.
You can assign a Group or a User. I decide to assign an user (weblogic_soa), previously created in this tutorial, to this role.
Log into workspace (http://yourserver:8001/bpm/workspace) and see if your user has the correct BPM Role assigned to him.