Manually Creating Required IAM Policy
Create the required policies for the groups that control users' access to WebLogic Management resources.
If you are unsure how to set up the required policies, see Setting Up Required IAM Policy which shows you how WebLogic Management can set up the required policies for you.
User groups, dynamic groups and IAM policies specify which users and services can access certain OCI resources. You must identify which WebLogic Management resources the service can manage and which users can manage those resources. To do this, define user groups, dynamic groups, and then set up the required IAM policy.
If you're new to policies, see Getting Started with Policies. If you have specific policy requirements or use cases, see Policies and Permissions for more information.
Required Policy Statements
The following policy statements are required policy to use the service:
| Policy statement | Description |
|---|---|
Allow group $USER_GROUP to manage instance-family in compartment id $COMPARTMENT_ID |
Allows the user group to manage WebLogic Management plugin in the compartment and its subcompartments. |
Allow group $USER_GROUP to read instance-agent-plugins in compartment id $COMPARTMENT_ID |
Allows the user group to interact with the WebLogic Management plugin in the compartment and its subcompartments. |
Allow group $USER_GROUP to manage wlms-family in compartment id $COMPARTMENT_ID |
Allows the user group to manage all WebLogic Management resources in the compartment and its subcompartments. |
Allow group $USER_GROUP to use wlms-config in tenancy |
Allows the user group to read and update the WebLogic Management Service configuration for the tenancy. |
Allow group $USER_GROUP to manage secrets in compartment id $COMPARTMENT_ID |
Allows the user group to manage OCI secrets in the compartment and its subcompartments. |
Allow dynamic-group $DYNAMIC_GROUP to read secret-bundles in compartment id $COMPARTMENT_ID |
Allows the WebLogic Management plugin to read OCI secrets in the compartment and its subcompartments. |
Allow dynamic-group $DYNAMIC_GROUP to use wlms-managed-instance-plugins in tenancy |
Allows the WebLogic Management plugin to use the WebLogic Management service. |
Allow resource wlms server-components to read instance-family in compartment id $COMPARTMENT_ID |
Allows the WebLogic Management plugin to check the status of OCI instances. |
For other use cases, see Policy Examples.
Policy statements use the default identity domain unless you define the identity domain before the group or dynamic group name (for example,
<identity_domain_name>/<dynamic_group_name>). For more information, see Policy Syntax. Create Policy Statements
You can set the IAM policy for WebLogic Management either at the tenancy or compartment level.
- Prerequisites
-
Before creating the policy, ensure you have the following:
- user group (<admin_user_group> in the examples)
- dynamic group (<wlms_dynamic_group> in the examples)
- Policy statements
-
To apply the required IAM policy, obtain the required policy templates and then modify them with the necessary information.
- Overview.
- Click Set up policy.
- In the Policy statements section, click Copy policy statements and then click Cancel. Note
To use the APIs to retrieve the required policy templates for WebLogic Management, run the ListRequiredPolicies operation. - Change the policy template statements as necessary, for example
- Template policy statement
Allow group $USER_GROUP to manage instance-family in compartment id $COMPARTMENT_IDChanged to
Allow group admin_user_group to manage wlms-family in compartment id <unique_OCID> - Template policy statement
Allow dynamic-group $DYNAMIC_GROUP to use wlms-managed-instance-plugins in tenancyChanged to
Allow dynamic-group wlms_dynamic_group to use wlms-managed-instance-plugins in tenancy
- Template policy statement
- Open the navigation menu, click Identity and then click Policies.
- Using the policy template statements you modified, create a policy. If you need help, see Creating a policy.