Other than the users with admin role, no other user can access and monitor weblogic resources. But sometimes it is important that even the users with the monitor, operator roles should be able to monitor the resources.
By default this feature is not available, but we can create JMX policies to grant access to monitors, operators and deployers of the resources.
For example : If a user with the role monitor logs into the console and tries to access the messages in the JMS queues, he will not be able to do it because of the permissions. Below error will be thrown on the admin console:
Error weblogic.management.NoAccessRuntimeException: Access not allowed for subject: principals=[divya, Operators, Monitors, Deployers], on ResourceType: JMSDestinationRuntime Action: execute, Target: getMessages
This means the user divya with the roles Operator, Monitor and Deployer does not have privileges to access JMSDentinationRuntime MBean, cannot view the messages in the JMS queue. We need to give privileges to the user divya by creating JMX policies as below:
– Log into the admin console with the admin credentials.
– Go to Security Realms
– Select the name of the realm that you want to control access to MBeans (for example, myrealm)
– Go to configurations -> General tab.
– Check the box for Use Authorization Providers to Protect JMX Access. (Enable it)
– Now go to the tab Roles and Policies -> Realm Policies
– Click on the link JMX Policy Editor
– The next screen will give you an option of selecting policy.
– If you want a policy that applies to all instances of a WebLogic Server MBean, select the radio button next to Global Scope. Then click the Next button.
– If you want a policy that applies only to the MBean instance that is used to manage a specific deployment or system resource:
1) In the Scope column, expand the category name that describes the type of deployment or resource you want to secure.
2) Select the radio button next to the deployment or resource you want to secure. Then click the Next button.
– Select global scope so that the policy applies to all instances
Click on next.
– If you want a policy that applies to all instances of all MBeans in the scope that you selected on the previous page, select the radio button next to All MBean Types. Then click the Next button.
– If you want a policy that applies only to a specific MBean instance, in the MBean Type column, expand the categories of MBeans until you find the MBean. We can expand weblogic.management.runtime and select JMSDestinationRuntimeMBean for having the privileges to access the JMS queue, or select All MBean Types.
– To control read access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Read category and select the attribute and select it.
– To control write access for a specific non-encrypted attribute (applicable only if you selected a specific MBean to secure), expand the Attributes: Permission to Write category and select the attribute and select it.
– To control write or read access for encrypted attributes, expand the Encrypted Attributes: Permission to Read or Encrypted Attributes: Permission to Write category and select the attribute and select it.
– To control access to a specific operation (applicable only if you selected a specific MBean to secure), expand the Operations: Permission to Invoke category and select the operation.
– To control access to lookup operations (which enable clients to find this MBean’s child MBeans) select the Lookup Operations: Permission to Invoke category or a specific lookup operation in the category.
For all MBean Typees, select Operations: Permission to Invoke
– Click on Create Policy.
– Click on “Add Condition” Button under Policy Conditions.
– Click on Next, leave the Role in Predicate List field.
– Add the “Admin” & “Monitor” Roles in “Role Argument Name” field.
– Click on Finish and then on Save.
Now log out of the console and login with the credentials of the user for which you have created the policy. Try to check the messages in the JMS queues, they will now be accessible.
If you face any issues in configuring the policies, or have any doubts or issues, do let us know.