{"id":17183,"date":"2022-10-01T16:00:00","date_gmt":"2022-10-01T14:00:00","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/?p=17183"},"modified":"2024-09-10T17:26:49","modified_gmt":"2024-09-10T15:26:49","slug":"wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/","title":{"rendered":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console"},"content":{"rendered":"\n<p>At a customer site, ansible is used to deploy the full <a href=\"https:\/\/www.adcubum.com\/en\/our-solution\/aducubm-syrius\" target=\"_blank\" rel=\"noreferrer noopener\">Syrius<\/a> stack. One of the requirements was to give the browse privileges to a group of people to monitor the JMS queues. I tried to follow the steps provided in the following Oracle documentation: <a href=\"https:\/\/docs.oracle.com\/en\/middleware\/fusion-middleware\/weblogic-server\/12.2.1.4\/roles\/xacmlusing.html#GUID-1DD32D4E-993A-4B8B-9FF7-67CCE866CE46\" target=\"_blank\" rel=\"noreferrer noopener\">Using XACML Documents to Secure WebLogic Resources<\/a><br>Those steps are complicated and were not fully working. I requested the help from the Oracle Support through a Service Request that was conclude with note <a href=\"https:\/\/support.oracle.com\/epmos\/faces\/DocumentDisplay?id=2860074.1\" target=\"_blank\" rel=\"noreferrer noopener\">Policy Not Available After Creating It Using WLST Script (Doc ID 2860074.1)<\/a>. <br>I finally find out that instead of using the XACML Documents to Secure WebLogic Resources and call the setPolicyExpression to save the XACML Documents already applied, I can use the createPolicyExpression and avoid the XACML Documents usage.<br>The action to grant browsing privilege to a group of users can be done in three steps:<br>1. Create a role that will be used to assign the JMS browsing privilege<br>2. Create the policy to allow JMS queues browsing<br>3. Assign the role to a group of users<br>For simplicity, the three steps have been split in three separate WLST scripts but of course they can be merged in one single WLST script.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>createRole.py<\/li><\/ol>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; highlight: [5]; title: ; notranslate\" title=\"\">\ntry:\n #Connect to AdminServer\n connect(&#039;&amp;lt;USERNAME&amp;gt;&#039;,&#039;&amp;lt;PASSWORD&amp;gt;&#039;,&#039;t3:\/\/&amp;lt;HOST&amp;gt;:&amp;lt;PORT&amp;gt;&#039;)\n rm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper(&quot;XACMLRoleMapper&quot;)\n rm.createRole(None,&quot;MonitorJMSQueues&quot;,None,&quot;&quot;)\n print &quot;MonitorJMSQueues Created&quot;\n disconnect()\n except:\n print &quot;ERROR... check error messages for cause.&quot;\n exit(exitcode=1)\n finally:\n print &quot;end of role creation&quot;\n exit()\n<\/pre><\/div>\n\n\n<p>2. createPolicy.py<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; highlight: [6]; title: ; notranslate\" title=\"\">\ndef allowJMSAccessForGroup():\n\n\t    try:\n\t        print &quot;cd(&#039;\/SecurityConfiguration\/&quot; + domainName + &quot;\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer&#039;)&quot;\n\t        cd(&#039;\/SecurityConfiguration\/&#039; + domainName + &#039;\/DefaultRealm\/myrealm\/Authorizers\/XACMLAuthorizer&#039;)\n\t\t    cmo.createPolicyExpression(&#039;type=&amp;lt;jmx&amp;gt;, operation=invoke, application=, mbeanType=weblogic.management.runtime.JMSDestinationRuntimeMBean&#039;,&#039;{Rol(Admin) | Rol(MonitorJMSQueues)}&#039;)\n\t        print &quot;Create policy done&quot;\n\t        return True\n\t    except Exception, inst:\n\t        print inst\n\t        print sys.exc_info()&#x5B;0]\n\t        dumpStack()\n\t        sys.stderr.write(&quot;unable to apply JMS access policy for domain &quot; + domainName)\n\t        return False\n\nconnect(&#039;&amp;lt;USERNAME&amp;gt;&#039;,&#039;&amp;lt;PASSWORD&amp;gt;&#039;,&#039;t3s:\/\/&amp;lt;HOST&amp;gt;:&amp;lt;PORT&amp;gt;&#039;)   \nserverConfig()\nallowJMSAccessForGroup()\ndisconnect()\nexit()\n<\/pre><\/div>\n\n\n<p>3. assignRole.py<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; highlight: [3,4]; title: ; notranslate\" title=\"\">\nconnect(&#039;&amp;lt;USERNAME&amp;gt;&#039;,&#039;&amp;lt;PASSWORD&amp;gt;&#039;,&#039;t3s:\/\/&amp;lt;HOST&amp;gt;:&amp;lt;PORT&amp;gt;&#039;)\n\nrm=cmo.getSecurityConfiguration().getDefaultRealm().lookupRoleMapper(&quot;XACMLRoleMapper&quot;) \nrm.setRoleExpression(&#039;&#039;,&#039;MonitorJMSQueues&#039;,&#039;Grp(JMS_MONITORING_GROUP)&#039;)\n<\/pre><\/div>\n\n\n<p>The JMS_MONITORING_GROUP needs to have the WebLogic monitoring role granted and then the members of this group can log to the WebLogic console and navigate to the JMS service to check the content of the JMS queues. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>At a customer site, ansible is used to deploy the full Syrius stack. One of the requirements was to give the browse privileges to a group of people to monitor the JMS queues. I tried to follow the steps provided in the following Oracle documentation: Using XACML Documents to Secure WebLogic ResourcesThose steps are complicated [&hellip;]<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[],"type_dbi":[],"class_list":["post-17183","post","type-post","status-publish","format-standard","hentry","category-application-integration-middleware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console\" \/>\n<meta property=\"og:description\" content=\"At a customer site, ansible is used to deploy the full Syrius stack. One of the requirements was to give the browse privileges to a group of people to monitor the JMS queues. I tried to follow the steps provided in the following Oracle documentation: Using XACML Documents to Secure WebLogic ResourcesThose steps are complicated [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-10-01T14:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-10T15:26:49+00:00\" \/>\n<meta name=\"author\" content=\"Middleware Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Middleware Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/\"},\"author\":{\"name\":\"Middleware Team\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/8d8563acfc6e604cce6507f45bac0ea1\"},\"headline\":\"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console\",\"datePublished\":\"2022-10-01T14:00:00+00:00\",\"dateModified\":\"2024-09-10T15:26:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/\"},\"wordCount\":255,\"commentCount\":0,\"articleSection\":[\"Application integration &amp; Middleware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/\",\"name\":\"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\"},\"datePublished\":\"2022-10-01T14:00:00+00:00\",\"dateModified\":\"2024-09-10T15:26:49+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/8d8563acfc6e604cce6507f45bac0ea1\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/#\\\/schema\\\/person\\\/8d8563acfc6e604cce6507f45bac0ea1\",\"name\":\"Middleware Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"caption\":\"Middleware Team\"},\"url\":\"https:\\\/\\\/www.dbi-services.com\\\/blog\\\/author\\\/middleware-team\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/","og_locale":"en_US","og_type":"article","og_title":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console","og_description":"At a customer site, ansible is used to deploy the full Syrius stack. One of the requirements was to give the browse privileges to a group of people to monitor the JMS queues. I tried to follow the steps provided in the following Oracle documentation: Using XACML Documents to Secure WebLogic ResourcesThose steps are complicated [&hellip;]","og_url":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/","og_site_name":"dbi Blog","article_published_time":"2022-10-01T14:00:00+00:00","article_modified_time":"2024-09-10T15:26:49+00:00","author":"Middleware Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Middleware Team","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/"},"author":{"name":"Middleware Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"headline":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console","datePublished":"2022-10-01T14:00:00+00:00","dateModified":"2024-09-10T15:26:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/"},"wordCount":255,"commentCount":0,"articleSection":["Application integration &amp; Middleware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/","url":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/","name":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2022-10-01T14:00:00+00:00","dateModified":"2024-09-10T15:26:49+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/wlst-scripts-to-grant-privilege-to-monitor-and-view-jms-messages-in-weblogic-console\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"WLST Scripts to grant privilege to monitor and view JMS messages in WebLogic Console"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1","name":"Middleware Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","caption":"Middleware Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/middleware-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=17183"}],"version-history":[{"count":10,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17183\/revisions"}],"predecessor-version":[{"id":20261,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/17183\/revisions\/20261"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=17183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=17183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=17183"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=17183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}