0 Replies Latest reply: Jun 26, 2012 4:18 PM by 945968 RSS

    User Access to different Gateway Instances controlled by Policy Center

      I am setting up Oracle Enterprise Gateway 11g in 3 runtime environments - TEST, UAT and PROD. Each environment will be running 2 instances of Enterprise Gateway for high availlability and performance, so I have 6 instances in all. I would prefer using one single instance of Policy Center to control versioning, tagging and deployment of configuration on all instances of Enterprise Gateway in all environments. Currently all Enterprise Gateway and Policy Center instances have been set up using the default (and instance local) Policy Director (PD) User Store.

      Here is the issue:
      - Certain users (X) should be able to control deployment to Enterprise Gateway instances in the TEST environment (not UAT or PROD).
      - X users should be allowed to control versioning and tagging of configurations in Policy Center - in preparation for Y users.
      - Other users (Y) should have full control of deployment in all environments

      How do I manage that with all users connected to Policy Center?

      I can almost control the user access as desired if I connect X-users to the Enterprise Gateway instances directly from Policy Studio for the purpose of deployment, giving them Administrator rights in the local PD user store on these instances. The Y users can be granted Administrator rights to the global Policy Center instance, that's the easy part. I could give X users some fine grained access (possibly user defined role) to Policy Center, allowing them to control versioning and tagging of configurations - but I can not see how X-users connected to Policy Center could be granted access to deploy to TEST without also giving them access to deploy to UAT and PROD. This is due to the fact that the connection (with authentication information) from Policy Center to its controlled Enterprise Gateway instances is stored globally for all Policy Center users on the Policy Center server.

      I can not see how changing authentication to the instances to a centralized LDAP compatible user store will solve the puzzle - but please correct me if I am wrong.

      Kind regards,