InfoCenter Home > 6.6.0.2.2.3.12: Managing security rolesThe wscp SecurityRoleAssignment operations allow you to manage security roles for J2EE applications. Role-based security enables declarative, customized authentication for applications. When a J2EE application is assembled, permission to execute methods is granted to one or more roles, which represent abstract groups of users. When the application is deployed, actual users or groups of users are assigned to these roles. When the application is run, WebSphere Application Server authorizes client requests based on the user's identification information and what roles the user is assigned to. For a more detailed description of how role-based authentication is implemented, see article 5.1.3. The wscp SecurityRoleAssignment operations can be used to perform the following tasks:
In addition to individual users and groups, the special groups all users and all authenticated users can be assigned to security roles. Note that the SecurityRoleAssignment operations only work with existing security roles; they cannot be used to define new roles. However, you can define and assign security roles when you install an enterprise application with the wscp EnterpriseApp install command or install a module with the wscp Module install command. See 6.6.0.2.2.4.8: Creating an enterprise application for more information. The wscp SecurityRoleAssignment examples in this section make
use of the user-to-role mapping in the following table.
The following example command lists the roles defined for the Banking enterprise application: wscp> SecurityRoleAssignment listRoles /EnterpriseApp:Banking/ Teller Clerk Supervisor WebTeller The following example command lists the roles defined for the Banking application and the users assigned to each role: wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/ {Teller {Bob}} {Clerk {}} {Supervisor {Supervisor}} {WebTeller {Bob}} The following example command lists the users assigned to the Teller role for the Banking application: wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/ -roles {Teller} {Teller {Bob}} The following example command lists the roles to which the user Bob is assigned: wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/ -users {Bob} {Teller {Bob}} {WebTeller {Bob}} The following example command lists the roles defined for the Banking application and the groups assigned to each role: wscp> SecurityRoleAssignment getGroupRoleMapping /EnterpriseApp:Banking/ {Teller {TellerGroup}} {Clerk {ClerkGroup}} {Supervisor {}} {WebTeller {TellerGroup}} The following example command lists the groups assigned to the WebTeller role for the Banking application: wscp> SecurityRoleAssignment getGroupRoleMapping /EnterpriseApp:Banking/ -roles {WebTeller} {WebTeller {TellerGroup}} The following example command lists the special role mappings for the Banking application (that is, whether the role has been assigned to all users or all authenticated users): wscp> SecurityRoleAssignment getSpecialRoleMapping /EnterpriseApp:Banking/ Return values are:
The following example command adds the user Mary to the Teller and WebTeller roles: wscp> SecurityRoleAssignment addUserRoleMapping /EnterpriseApp:Banking/ -userroles {{Teller Mary} {WebTeller Mary}} Use the -userroles option to specify which users are added to which roles. Enter either a role-user pair (such as {Teller Mary}) or a list of role-user pairs (such as {{Teller Mary} {WebTeller Mary}}). The following example command adds the group ClerkGroup to the WebTeller role: wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:Banking/ -grouproles {WebTeller ClerkGroup} Use the -grouproles option to specify which groups are added to which security roles. Enter either a role-group pair (such as {WebTeller ClerkGroup}) or a list of role-group pairs (such as {{WebTeller ClerkGroup} {WebTeller SupervisorGroup}}). The following example command adds the special group AllAuthenticatedUsers to the Clerk role: wscp> SecurityRoleAssignment addSpecialRoleMapping /EnterpriseApp:Banking/ -specialroles {{Clerk AllAuthenticatedUsers} {Teller Everyone}} Use the -specialroles option to specify which special groups are assigned to which security roles. Enter either a role-special group pair (such as {Clerk AllAuthenticatedUsers}) or a list of role-special group pairs (such as {{Clerk AllAuthenticatedUsers} {Teller Everyone}}). The following example command deletes the user Bob from the Teller and WebTeller roles: wscp> SecurityRoleAssignment deleteUserRoleMapping /EnterpriseApp:Banking/ -userroles {{Teller Bob} {WebTeller Bob}} Use the -userroles option to specify which users are deleted from which roles. Enter either a role-user pair (such as {Teller Bob}) or a list of role-user pairs (such as {{Teller Bob} {WebTeller Bob}}). The following example command deletes the group ClerkGroup from the WebTeller role: wscp> SecurityRoleAssignment deleteGroupRoleMapping /EnterpriseApp:Banking/ -grouproles {WebTeller ClerkGroup} Use the -grouproles option to specify which groups are deleted from which security roles. Enter either a role-group pair (such as {WebTeller ClerkGroup}) or a list of role-group pairs (such as {{WebTeller ClerkGroup} {WebTeller SupervisorGroup}}). The following example command deletes the special groups AllUsers and AllAuthenticatedUsers from the Clerk role: wscp> SecurityRoleAssignment deleteSpecialRoleMapping /EnterpriseApp:Banking/ -specialroles {{Clerk AllAuthenticatedUsers} {Clerk Everyone}} Use the -specialroles option to specify which special groups are deleted from which security roles. Enter either a role-special group pair (such as {Clerk AllAuthenticatedUsers}) or a list of role-special group pairs (such as {{Clerk AllAuthenticatedUsers} {Clerk Everyone}}). The following example command lists the execution identities and roles that enterprise bean methods run under in the Banking application: wscp> SecurityRoleAssignment getRunAsToUser /EnterpriseApp:Banking/ {Supervisor {Supervisor Bob}} The following example command assigns the execution identity Mary for enterprise bean methods that run under the Supervisor role. A password must also be specified; in this case, the password is marypwd. wscp> SecurityRoleAssignment setRunAsToUser /EnterpriseApp:Banking/ -runasroles {Supervisor Mary marypwd} |
| |||||||||||||||||||||||||||||||||||||||||||
|