Tuesday, January 28, 2014

Provide user with monitor role access to view JMS messages (via console & WLST)

1. enable JMX policy editor
Login to console - security realms - myrealm -configuration - general - enable :Use Authorization Providers to Protect JMX Access - save - activate changes - restart

2. create user with monitor role
Login to console - security realm - myrealm - users&groups - users-new - create new user -save - click on that user again - groups - select monitor on the left table and move it to right - save -

3. create policy
Login to console - security realm - myrealm - roles & policies - Realm Policies - JMX Policy Editor - global scope - next - weblogic.management.runtime - JMSDestinationRuntimeMBean - next - Operations: Permission to Invoke - create policy -add conditions - Predicate List: user - next -
type your user and add - finish - save

4. now login to console as user (with monitor role) and try reading a message


WLST:

 For granular approach of specific permission of get messages only:

cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean, target=getMessages','{Rol(Monitor)}')

For a broader permissions remove the targets:

cmo.createPolicy('type=<jmx>, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean','{Rol(Monitor)}')


I was able to get the resource details by enabling audit logging

http://docs.oracle.com/cd/E12840_01/wls/docs103/secwlre/xacmlusing.html#wp1268689

No comments: