Policy Examples
Pre-General Availability: 2024-10-11
The following legal notice applies to Oracle pre-GA releases. For copyright and other applicable notices, see Oracle Legal Notices.
Pre-General Availability Draft Documentation Notice
This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.
When writing policies, you can use the Administrators group for tenancy management, for example:
allow group Administrators to manage wlms-managed-instances in tenancy
allow group Administrators to manage wlms-wlsdomains in tenancy
allow group Administrators to manage wlms-family in tenancy
You can also simplify permissions by combining policy statements where multiple groups require the same permissions. For example, these policy statements:
allow group <user-grp-01> to inspect wlms-wlsdomains in tenancy
allow group <user-grp-01> to inspect wlms-work-requests in tenancy
allow group <user-grp-02> to inspect wlms-wlsdomains in tenancy
allow group <user-grp-02> to inspect wlms-work-requests in tenancy
Can become:
allow group <user-grp-01>,<user-grp-01> { WLMS_WLSDOMAIN_INSPECT, WLMS_WORK_REQUEST_INSPECT } in tenancy
Example policies restricting user group
The examples provided are sample policies used to restrict resource or compartment access for a particular user group. The tenancy in these examples has the following compartment structure:
- root compartment (tenancy)
- <dev> compartment
- <test> subcompartment of <dev>
- <prod> compartment
- <dev> compartment
For this example:
- The dynamic group is <wlms-dyn-grp>. The rule statements include OCI instances in the root compartment (tenancy), <dev> compartment, <test> subcompartment, and <prod> compartment.
- The user belongs to the user group <wlms-admin-grp> which is allowed to manage all resources within the tenancy.
Policy statements
- Allows the dynamic group to view and scan managed instances in a specific compartment.
allow dynamic-group <wlms-dyn-grp> to {WLMS_MANAGED_INSTANCE_USE} in tenancy where target.compartment.id='<dev_compartment_ocid>'
- Allows the user group to view, scan and update all managed instance in the tenancy.
allow group <wlms-admin-grp> to use wlms-managed-instances in tenancy
- Allows the user group to use, update, restart, patch and move all domains in the tenancy.
allow group <wlms-admin-grp> to use wlms-wlsdomains in tenancy
- Allows the user group to manage all resources in the tenancy.
allow group <wlms-admin-grp> to manage wlms-family in tenancy
For this example:
- The user belongs to the user group wlms-admin-grp-dev which can manage all resources within the <dev> compartment and <test> subcompartment.
Policy statements
- Allows the user group to manage all WebLogic Management Service resources in the <dev> compartment. Policies use compartment inheritance, so the user will also be able to manage resources in any subcompartments of <dev> (in this example, <test>).
allow group <wlms-admin-grp-dev> to manage wlms-family in compartment <dev>
- Allows the user group to read managed instances in the root compartment.
allow group <wlms-admin-grp-dev> to read wlms-managed-instances in tenancy where target.compartment.id = '<tenancy_ocid>'
- Allows the user to use managed instances in the dev compartment.
allow group <wlms-admin-grp-dev> to use wlms-managed-instances in compartment <dev>
- Allows the user to use, update, restart, patch, move, and delete domains in the dev compartment.
allow group <wlms-admin-grp-dev> to manage wlms-wlsdomains in compartment <dev>
For this example:
- The dynamic group is <wlms-instances>. The rule statement includes the plugin agent resource in the <prod> compartment.
- The user belongs to the user group <wlms-users> which can read all WebLogic Management resources within the <prod> compartment.
Policy statements
- Allows the agent on the managed instances to interact with WebLogic Management.
allow dynamic-group <wlms-instances> to {WLMS_MANAGED_INSTANCE_PLUGIN_ACCESS} in compartment prod where request.principal.id = target.managed-instance.i
- Allows the user group to view all WebLogic Management resources in the <prod> compartment.
allow group <wlms-users> to read wlms-family in compartment <prod>
Advanced Example Policies
The advanced WebLogic Management examples provided are sample policies used to restrict resource or compartment access for a particular user group.
Type of access: Ability to view all compute instances in a compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group cannot perform any service actions that could change the state of the WebLogic Server domains.
When to use: This policy is useful when you want to control access to a compartment where you have your production WebLogic Server domains.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsDevUsers> to read wlms-family in compartment <WlmsProduction>
Type of access: Ability to perform all service actions except the delete domain action.
When to use: This policy is useful when you want to prevent accidental domain deletion.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsUsers> to use wlms-family in compartment <WlmsTest>
Type of access: Ability to view all compute instances in a compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group can also get the latest WebLogic domain information on demand by executing the scan action.
When to use: This policy is useful when you want to control access to a compartment where you have your production WebLogic Server domains.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsDevUsers> to read wlms-family in compartment <WlmsProduction>
Allow group Default/<WlmsDevUsers> to {WLMS_WLSDOMAIN_USE} in compartment <WlmsProduction>
Allow group Default/<WlmsDevUsers> to {WLMS_MANAGED_INSTANCE_USE} in compartment <WlmsProduction>
Type of access: Ability to view all compute instances in a compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group can also get the latest WebLogic domain information on demand by executing the scan action and patch domains.
When to use: This policy is useful when you want to specify a particular set of users, such as operations users, to perform specific operations only during a patching window to a compartment where you have your production WebLogic Server domains.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsOperationsUsers> to read wlms-family in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_WLSDOMAIN_USE} in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_MANAGED_INSTANCE_USE} in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_WLSDOMAIN_PATCH} in compartment <WlmsProduction>
Type of access: Ability to view all compute instances in a compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group can also get the latest WebLogic domain information on demand by executing the scan action, change configuration settings, and restart domains.
When to use: This policy is useful when you want to specify a particular set of users, such as Operations users, to perform specific operations only during a patching window to a compartment where you have your production WebLogic Server domains. With these settings you have made it so that patching is not allowed. The WLMS_WLSDOMAIN_RESTART can be replaced by the WLMS_WLSDOMAIN_PATCH permission later when the patching window is open.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsOperationsUsers> to read wlms-family in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_WLSDOMAIN_USE} in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_MANAGED_INSTANCE_USE} in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_WLSDOMAIN_RESTART} in compartment <WlmsProduction>
Allow group Default/<WlmsOperationsUsers> to {WLMS_WLSDOMAIN_UPDATE} in compartment <WlmsProduction>
Type of access: Ability to view all compute instances in a compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group can also get the latest WebLogic domain information on demand by executing the scan action, change configuration settings, restart domains, and patch domains. The ability to move the compartment is not added.
When to use: This policy is useful when you have an organizational structure for compartments you want to maintain and you don't want other users to possibly disrupt this organization by moving a domain.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsDevUsers> to read wlms-family in compartment <WlmsDev>
Allow group Default/<WlmsDevUsers> to {WLMS_WLSDOMAIN_USE} in compartment <WlmsDev>
Allow group Default/<WlmsDevUsers> to {WLMS_MANAGED_INSTANCE_USE} in compartment <WlmsDev>
Allow group Default/<WlmsDevUsers> to {WLMS_WLSDOMAIN_PATCH} in compartment <WlmsDev>
Allow group Default/<WlmsDevUsers> to {WLMS_WLSDOMAIN_UPDATE} in compartment <WlmsDev>
Type of access: Ability to view all Compute instances in a Compartment on which the WebLogic Management plugin is enabled, the WebLogic Server domains and servers discovered by the WebLogic Management plugin, and all configuration settings. With this policy a user in the group can also get the latest WebLogic domain information on demand by executing the scan action. The ability to update managed instance configuration settings in the compartment is not added.
When to use: This policy is useful when you want to prevent a user from disrupting the paths that are scanned, but want the user to be able to get the latest WebLogic domain information from a managed instance.
Where to create the policy: Put this policy in the compartment that you will be granting access to the user group for.
Allow group Default/<WlmsDevUsers> to read wlms-family in compartment <WlmsTest>
Allow group Default/<WlmsDevUsers> to {WLMS_MANAGED_INSTANCE_USE} in compartment <WlmsTest>