Oracle Cloud Infrastructure Documentation

Creating Users and Groups

To work in WebLogic Management, a tenancy administrator in your organization must create groups, add users to groups, and add policies that control which users can access the service and its resources, and the type of access they have.

Important

Pre-General Availability: 2024-10-11

The following legal notice applies to Oracle pre-GA releases. For copyright and other applicable notices, see Oracle Legal Notices.

Pre-General Availability Draft Documentation Notice

This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.

Create at least one user in the tenancy who wants to work with WebLogic Management. This user must be created in the IAM service.

User groups, dynamic groups and IAM policies specify which users and services can access certain OCI resources. You must identify which WebLogic Management resources the service can manage and which users can manage those resources. To do this, define user groups, dynamic groups, and then set up the required IAM policy.

User Group

Create a user group or identify an existing user group to administer the WebLogic Management service in the tenancy. The required policy statements then grant this administrator user group the ability to manage WebLogic Management resources.

If you need to further restrict access, you can create additional user groups and set more restrictive policy statements to limit access to specific resources. See Policy Examples for non-administrator use cases. For more information about user groups, see Managing Groups.

Dynamic Group

Create a dynamic group to specify the resources WebLogic Management will manage by defining rule statements for OCI instances.

  1. Ensure you understand the following:

  2. Follow the steps to create a dynamic group or update an existing dynamic group and configure the matching rules as follows.

    Tip

    Reuse the same dynamic group wherever possible across services instead of creating new dynamic groups because a single resource can only belong to a maximum of five dynamic groups.

  3. For the overall matching rule setting select: Match any rules defined below.

  4. Create rule statements for the instances that WebLogic Management will manage.

    Important

    Dynamic group rules don't use compartment inheritance. You must specify a rule statement for every compartment and subcompartment that you want managed by the service.

    Rule for OCI instances

    Add a rule statement that includes each compartment (and subcompartment) that will contain instances.

    ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

    This rule will include all OCI instances in the specified compartments.

  5. Click Create (if creating) or Save (if updating).
What does the dynamic group do?
The dynamic group identifies the instances that WebLogic Management will manage. You add rule statements for the compartments and subcompartments that contain instances you want managed by the service. The dynamic group grows and shrinks dynamically based on these rule statements. As instances are provisioned or retired, the dynamic group changes accordingly. The required policy statements then grant WebLogic Management the ability to access the instances within the dynamic group.

For more information on dynamic groups, see Managing Dynamic Groups .

When to use ANY and ALL for a dynamic group?

Before writing dynamic group rule statements, it's important to understand the difference between ANY and ALL.

When defining a dynamic group, you set how the group matches the rules defined within the group:

  • Match any rules defined below includes resources that match any of the rules within the dynamic group. Select this if defining a group that includes rules for multiple compartments or multiple instance types. This setting tells the group to include resources that match rule 1 OR rule 2 OR rule 3, and so on.
  • Match all rules defined below includes resources that match all the rules within the dynamic group. Select this when defining a vary narrow dynamic group that includes only one compartment. This setting tells the group to include resources that match rule 1 AND rule 2 AND rule 3, and so on.

When defining individual rule statements within the dynamic group, you set the conditions for each statement:

  • All of the following (ALL) includes only resources that match all the conditions in the rule. ALL statements requires each condition to be true. Otherwise, resources aren't included for the rule.

  • Any of the following (ANY) includes resources that match any of the conditions in the rule.

Examples of ANY and ALL for an individual rule statement

Consider the rule used for non-OCI instances.

Correct usage:
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

When using ALL, the rule includes only resources in the specified compartment. The statement tells the dynamic group to include resources that match the management agent type AND are within the specified compartment.

Incorrect usage. Do not use:
ANY {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}

When using ANY, the rule includes every resource in the entire tenancy and every OCI resource present in the specified compartment. While the statement will include the resources needed for WebLogic Management, it's very broad and typically not preferable.

Consider the rule used for OCI instances when specifying multiple compartments.

Correct usage:
ANY {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

When using ANY, the rule includes every instance in each of the specified compartments. The statement tells the dynamic group to include instances in <compartment_ocid> OR <subcompartment_ocid>.

Incorrect usage. Do not use:
ALL {instance.compartment.id='<compartment_ocid>',instance.compartment.id='<subcompartment_ocid>'}

When using ALL, the rule tells the dynamic group to include instances that are in <compartment_ocid> AND <subcompartment_ocid>. This rule won't include any instances because it's impossible for an instance to be in more than one compartment at the same time. Don't use ALL with a rule statement that specifies multiple compartments.