Users and Groups
The following sections describe the features and functions of users and groups:
- Overview of Users and Groups
- Creating Users
- Adding Users to Groups
- Modifying Users
- Deleting Users
- Default Groups
- Creating Groups
- Nesting Groups
- Modifying Groups
- Deleting Groups
Note: For information about how to perform administrative tasks related to users and groups using the weblogic.Admin command-line utility (rather than the WebLogic Server Administration Console GUI), see Using weblogic.Admin Commands to Manage Users and Groups" in WebLogic Server Command Reference.
Overview of Users and Groups
A user is an entity that can be authenticated. A user can be a person or a software entity, such as a Java client. Each user is given a unique identity within a security realm. For more efficient security management, BEA recommends adding users to groups. A group is a collection of users who usually have something in common, such as working in the same department in a company.
Creating Users
Notes: The instructions in this section apply to the WebLogic Authentication provider only. If you customize the default security configuration to use a custom Authentication provider, use the administration tools supplied by that security provider to create a user.
When upgrading to the WebLogic Authentication provider,you cannot automatically load existing users into the WebLogic Authentication provider's database. For this release of WebLogic Server, adding existing users is a manual step. If you have many existing users, consider using the Realm Adapter Authentication provider. See Configuring a Realm Adapter Authentication Provider" in Managing WebLogic Security.
To create a new user:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are creating a user (for example, myrealm).
- Click Users.
The Users page displays all the users currently defined in the WebLogic Authentication provider's database.
- Click the Configure a new User... link to display the Create User page.
Note: If multiple WebLogic Authentication providers are configured in the security realm, an intermediate page will list them in a table. From the table, select which WebLogic Authentication provider's database should store information for the new user before performing step 5.
- On the General tab, enter the name of the user in the Name field.
Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, < >, #, |, &, ~, ?, ( ), { }. User names are case sensitive.
- Optionally, enter a description of the user (such as their full name) in the Description field.
- Enter a password for the user in the Password field.
The minimum password length for a user defined in the WebLogic Authentication provider is 8 characters. Do not use the user name/password combination weblogic/weblogic in a production environment.
- Re-enter the password for the user in the Confirm Password field.
- Click Apply to save your changes.
Adding Users to Groups
BEA recommends adding users to groups because groups allow you to manage a number of users at the same time. This is generally more efficient than managing each user individually.
In the procedure that follows, it is assumed that you have already created groups as described in Creating Groups, or that you will use the default groups described in Default Groups.
To add a user to a group:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are adding a user to a group (for example, myrealm).
- Click Users.
The Users page displays all the users currently defined in the WebLogic Authentication provider's database.
- Click the hyperlinked name of the user that you want to add to a group.
If you have many users, use the Filter By field at the top of the page to retrieve and list only the users that match your search criteria, then click the hyperlinked name. The Filter By field uses the asterisk (*) as the wildcard character.
- Select the Groups tab.
All the groups available in the WebLogic Authentication provider's database appear in the Possible Groups list box. All the groups to which the user belongs appear in the Current Groups list box.
- In the Possible Groups list box, highlight the name of a group.
- Click the highlighted arrow to move the group from the Possible Groups list box to the Current Groups list box.
- If desired, repeat steps 6 and 7 to add the user to multiple groups.
- Click Apply to save your changes.
Modifying Users
To modify an existing user:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are modifying a user (for example, myrealm).
- Click Users.
The Users page displays all the users currently defined in the WebLogic Authentication provider's database.
- Click the hyperlinked name of the user that you want to modify.
If you have many users, use the Filter By field at the top of the page to retrieve and list only the users that match your search criteria, then click the hyperlinked name. The Filter By field uses the asterisk (*) as the wildcard character.
- Use the General tab to modify the user's description or password, and the Groups tab to modify the user's membership in one or more groups. (See Creating Users and Adding Users to Groups for specific instructions.)
Deleting Users
To delete an existing user:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm from which you are deleting a user (for example, myrealm).
- Click Users.
The Users page displays all the users currently defined in the WebLogic Authentication provider's database.
- Click the trash can icon that is located in the same row as the user you want to delete.
If you have many users, use the Filter By field at the top of the page to retrieve and list only the users that match your search criteria, then click the trash can icon. The Filter By field uses the asterisk (*) as the wildcard character.
- Click Yes to confirm the deletion.
- Click Continue.
The Users page no longer shows the deleted user in the table.
Default Groups
By default, WebLogic Server defines the groups shown in Table 3-1.
Group Name
Membership
users Users, when they log in (for example, through a Web page). The users group includes all users except the <anonymous> user. See Guest and <anonymous> Users" in the WebLogic Server 8.1 Upgrade Guide. everyone Every user is a member of this group. The users group is nested within the everyone group. Administrators By default, this group contains the user information entered as part of the installation process (that is, the Configuration Wizard), and the system user if the WebLogic Server instance is running Compatibility security. Any user assigned to the Administrators group is granted the Admin security role by default. Deployers By default, this group is empty. Any user assigned to the Deployers group is granted the Deployer security role by default. Operators By default, this group is empty. Any user assigned to the Operators group is granted the Operator security role by default. Monitors By default, this group is empty. Any user assigned to the Monitors group is granted the Monitor security role by default.
For more information about the default security roles, see Default Global Roles.
You can add to the default groups by creating your own, as described in Creating Groups.
Creating Groups
Notes: The instructions in this section apply to the WebLogic Authentication provider only. If you customize the default security configuration to use a custom Authentication provider, use the administration tools supplied by that security provider to create a group.
When upgrading to the WebLogic Authentication provider, you cannot automatically load existing groups into the WebLogic Authentication provider's database. For this release of WebLogic Server, adding existing groups is a manual step. If you have many existing groups, consider using the Realm Adapter Authentication provider. See Configuring a Realm Adapter Authentication Provider" in Managing WebLogic Security.
To create a new group:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are creating a group (for example, myrealm).
- Click Groups.
The Groups page displays all the groups currently defined in the WebLogic Authentication provider's database.
- Click the Configure a new Group... link to display the Create Group page.
Note: If multiple WebLogic Authentication providers are configured in the security realm, an intermediate page will list them in a table. From the table, select which WebLogic Authentication provider's database should store information for the new group before performing step 5.
- On the General tab, enter the name of the group in the Name field.
Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, < >, #, |, &, ~, ?, ( ), { }. Group names are case sensitive. Group names are plural, according to the BEA convention.
- Optionally, enter a description of the group in the Description field.
- Click Apply to save your changes.
Nesting Groups
Optionally, you can nest groups within other groups.
Note: In the procedure that follows, it is assumed that you have already created groups as described in Creating Groups or that you will use the default groups described in Default Groups.
To nest a group within another group:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are nesting a group (for example, myrealm).
- Click Groups.
The Groups page displays all the groups currently defined in the WebLogic Authentication provider's database.
- Click the hyperlinked name of the group that you want to nest within another group.
If you have many groups, use the Filter By field at the top of the page to retrieve and list only the groups that match your search criteria, then click the hyperlinked name. The Filter By field uses the asterisk (*) as the wildcard character.
- Select the Membership tab.
All the groups available in the WebLogic Authentication provider's database appear in the Possible Groups list box. All the groups in which the group is nested appear in the Current Groups list box.
- In the Possible Groups list box, highlight the name of a group.
- Click the highlighted arrow to move the group from the Possible Groups list box to the Current Groups list box.
- If desired, repeat steps 6 and 7 to nest the group within multiple groups.
- Click Apply to save your changes.
Modifying Groups
To modify an existing group:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm for which you are modifying a group (for example, myrealm).
- Click Groups.
The Groups page displays all the groups currently defined in the WebLogic Authentication provider's database.
- Click the hyperlinked name of the group that you want to modify.
If you have many groups, use the Filter By field at the top of the page to retrieve and list only the groups that match your search criteria, then click the hyperlinked name. The Filter By field uses the asterisk (*) as the wildcard character.
- Use the General tab to modify the group's description, and the Membership tab to modify the group's membership in one or more other groups. (See Creating Groups and Nesting Groups for specific instructions.)
Deleting Groups
To delete an existing group:
- In the left pane of the WebLogic Server Administration Console, expand Security
- > Realms.- Expand the security realm from which you are deleting a group (for example, myrealm).
- Click Groups.
The Groups page displays all the groups currently defined in the WebLogic Authentication provider's database.
- Click the trash can icon that is located in the same row as the group you want to delete.
If you have many groups, use the Filter By field at the top of the page to retrieve and list only the users that match your search criteria, then click the trash can icon. The Filter By field uses the asterisk (*) as the wildcard character.
- Click Yes to confirm the deletion.
- Click Continue.
The Groups page no longer shows the deleted group in the table.