I need to tweak some role assignments in weblogic 12 using WLST. In this case I want to assign a role to all members of a group.
Here is a python script that works like a charm, provided said group name doesn't contain spaces ( I know, I know ...)
connect('XXXXXXXXXX', 'XXXXXXXXXXXXX', 't3://XXXXXXXX:XXXXXX')
cd ('SecurityConfiguration/weblogic/Realms/DecalogRealm/RoleMappers/DefaultRoleMapper')
print 'Setting condition for role "%s"...' % 'ComplianceSourceReader' ,
cmo.setRoleExpression(None,'ComplianceSourceReader',"Grp('ASSET MANAGER')")
print 'Done'
print "post edit report :"
print "=================="
print 'Role condition for "ComplianceSourceReader" role = %s' % (cmo.getRoleExpression(None,'ComplianceSourceReader'))
print
print "Done."
I tried several common ways of escaping the space char in the policy expression's group name, with no success so far. I always get the same error
Caused by: weblogic.entitlement.data.EnCreateException: Missing ',' delimiter. for 'Grp("ASSET MANAGER")' at position:11
at weblogic.entitlement.engine.EEngine.setRoleEntitlements(EEngine.java:1150)
at weblogic.security.providers.authorization.DefaultRoleMapperImpl.setRoleExpression(DefaultRoleMapperImpl.java:328)
... 53 more
Is there a way around this, or will we have to change those group names ?
You can check this using weblogic.entitlement.parser.Parser class. WLST shell:
wls:/offline> from weblogic.entitlement.parser import Parser
wls:/offline> groups = ['ASSET MANAGER']
wls:/offline> print Parser.groups2Expr(groups)
{Grp(ASSET#KMANAGER)}