Manually Creating Required IAM Policy
Create the required policies for the groups that control users' access to WebLogic Management resources.
Pre-General Availability: 2024-10-11
The following legal notice applies to Oracle pre-GA releases. For copyright and other applicable notices, see Oracle Legal Notices.
Pre-General Availability Draft Documentation Notice
This documentation is in pre-General Availability status and is intended for demonstration and preliminary use only. It may not be specific to the hardware on which you are using the software. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to this documentation and will not be responsible for any loss, costs, or damages incurred due to the use of this documentation.
If you are unsure how to set up the required policies, see Setting Up Required IAM Policy which shows you how WebLogic Management can set up the required policies for you.
User groups, dynamic groups and IAM policies specify which users and services can access certain OCI resources. You must identify which WebLogic Management resources the service can manage and which users can manage those resources. To do this, define user groups, dynamic groups, and then set up the required IAM policy.
If you're new to policies, see Getting Started with Policies. If you have specific policy requirements or use cases, see Policies and Permissions for more information.
Required Policy Statements
The following policy statements are required policy to use the service:
| Policy statement | Description |
|---|---|
Allow group $USER_GROUP to manage instance-family in compartment id $COMPARTMENT_ID |
Allows the user group to manage WebLogic Management plugin in the compartment and its subcompartments. |
Allow group $USER_GROUP to read instance-agent-plugins in compartment id $COMPARTMENT_ID |
Allows the user group to interact with the WebLogic Management plugin in the compartment and its subcompartments. |
Allow group $USER_GROUP to manage wlms-family in compartment id $COMPARTMENT_ID |
Allows the user group to manage all WebLogic Management resources in the compartment and its subcompartments. |
Allow group $USER_GROUP to use wlms-config in tenancy |
Allows the user group to read and update the WebLogic Management Service configuration for the tenancy. |
Allow group $USER_GROUP to manage secrets in compartment id $COMPARTMENT_ID |
Allows the user group to manage OCI secrets in the compartment and its subcompartments. |
Allow dynamic-group $DYNAMIC_GROUP to read secret-bundles in compartment id $COMPARTMENT_ID |
Allows the WebLogic Management plugin to read OCI secrets in the compartment and its subcompartments. |
Allow dynamic-group $DYNAMIC_GROUP to use wlms-managed-instance-plugins in tenancy |
Allows the WebLogic Management plugin to use the WebLogic Management service. |
Allow resource wlms server-components to read instance-family in compartment id $COMPARTMENT_ID |
Allows the WebLogic Management plugin to check the status of OCI instances. |
For other use cases, see Policy Examples.
Policy statements use the default identity domain unless you define the identity domain before the group or dynamic group name (for example,
<identity_domain_name>/<dynamic_group_name>). For more information, see Policy Syntax. Create Policy Statements
You can set the IAM policy for WebLogic Management either at the tenancy or compartment level.
- Prerequisites
-
Before creating the policy, ensure you have the following:
- user group (<admin_user_group> in the examples)
- dynamic group (<wlms_dynamic_group> in the examples)
- Policy statements
-
To apply the required IAM policy, obtain the required policy templates and then modify them with the necessary information.
- Overview.
- Click Set up policy.
- In the Policy statements section, click Copy policy statements and then click Cancel. Note
To use the APIs to retrieve the required policy templates for WebLogic Management, run the ListRequiredPolicies operation. - Modify the policy template statements as necessary, for example:
Template statement: Allow group $USER_GROUP to manage instance-family in compartment id $COMPARTMENT_ID Modified: Allow group admin_user_group to manage wlms-family in compartment id <unique_OCID> Template statement: Allow dynamic-group $DYNAMIC_GROUP to use wlms-managed-instance-plugins in tenancy Modified: Allow dynamic-group wlms_dynamic_group to use wlms-managed-instance-plugins in tenancy - Open the navigation menu, click Identity and then click Policies.
- Using the policy template statements you modified, create a policy. If you need help, see Creating a policy.