InfoCenter Home > 6.6.18.1.a.5: Selecting users and groups for administrative roles with the Java administrative consoleUse the Administrative Roles tabbed page of the Security Center wizard to assign users or groups to the administrative role. WebSphere security model has the configuration capability to assign any user or group to have the WebSphere administrator authority. This is encapsulated with the notion of an "AdminRole" which is scoped to the WebSphere administrative application. Any user who has been granted the administrative role, or is part of a group which has been granted the administrative role, will be able to administer the WebSphere administrative domain. This role will grant such a user or a group the capability to perform any WebSphere administrative function. For example, the administrator can create a new application server, stop a running server, deploy an application, and configure security settings. Mapping users or groups to administrative rolesThe administrator maps a user or group as follows:
Using CosNaming securityCosNaming security offers more granular security control over CosNaming functions. CosNaming functions affect the content of the WebSphere name space. The functions are available on CosNaming servers such as the WebSphere Application Server Advanced Edition administrative server. There are generally two ways in which client programs can make CosNaming calls: through the JNDI interfaces; or by CORBA clients invoking CosNaming methods directly. There are four new security roles:
Attempts to do CosNaming operations without the proper role assignment results in an org.omg.CORBA.NO_PERMISSION exception from the CosNaming server. WebSphere administrators must carefully evaluate use of their name space and assign roles accordingly. In most cases, users will need to be able to do JNDI lookups and, as such, administrators will need to assign the CosNamingRead role to the special subjects Everyone or All Authenticated Users. Note that each CosNaming function is assigned to only one role. Therefore, users assigned the CosNamingCreate role will not be able to query the name space unless they are also assigned the CosNamingRead role. In most cases, a creator needs to be assigned three roles: CosNamingRead, CosNamingWrite, and CosNamingCreate. In WebSphere Application Server Advanced Edition, the CosNaming Security function is automatically part of the administrative server. The new roles are administrative roles which can be assigned using the Administrative Roles page of the Security Center. By default, WebSphere grants all roles to the special subject Everyone. It is highly recommended that administrators evaluate their name space usage for security concerns and restrict access if necessary. In WebSphere Application Server Advanced Single Server Edition, the CosNaming Security function comes in the nssecure.jar installable application. It can be added to any server by installing the nssecure.jar application. As part of the installation, the new roles are available for assignment. |
| ||
|