InfoCenter Home >
6: Administer applications >
6.6: Tools and resources quick reference >
6.6.0: About user assistance >
6.6.0.2: Command line administration >
6.6.0.2.2: WebSphere Control Program (wscp) >
6.6.0.2.2.3: Advanced usage of wscp >
6.6.0.2.2.3.12: Managing security roles

6.6.0.2.2.3.12: Managing security roles

The wscp SecurityRoleAssignment operations allow you to manage security roles for J2EE applications.

Role-based security enables declarative, customized authentication for applications. When a J2EE application is assembled, permission to execute methods is granted to one or more roles, which represent abstract groups of users. When the application is deployed, actual users or groups of users are assigned to these roles. When the application is run, WebSphere Application Server authorizes client requests based on the user's identification information and what roles the user is assigned to. For a more detailed description of how role-based authentication is implemented, see article 5.1.3.

The wscp SecurityRoleAssignment operations can be used to perform the following tasks:

  • List the roles that are defined for an enterprise application.

  • List the users and groups that are assigned to each role.

  • Add users and groups to a role.

  • Delete users and groups from a role.

  • Specify the identity under which enterprise bean methods are executed.

In addition to individual users and groups, the special groups all users and all authenticated users can be assigned to security roles.

Note that the SecurityRoleAssignment operations only work with existing security roles; they cannot be used to define new roles. However, you can define and assign security roles when you install an enterprise application with the wscp EnterpriseApp install command or install a module with the wscp Module install command. See 6.6.0.2.2.4.8: Creating an enterprise application for more information.

The wscp SecurityRoleAssignment examples in this section make use of the user-to-role mapping in the following table.

Banking enterprise application Roles
Teller Clerk Supervisor WebTeller
Users and groups TellerGroup Yes

Yes
Bob Yes Yes
Yes
Mary

Yes
ClerkGroup
Yes

Supervisor

Yes
SupervisorGroup

Yes

The following example command lists the roles defined for the Banking enterprise application:

wscp> SecurityRoleAssignment listRoles /EnterpriseApp:Banking/
Teller Clerk Supervisor WebTeller

The following example command lists the roles defined for the Banking application and the users assigned to each role:

wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/
{Teller {Bob}} {Clerk {}} {Supervisor {Supervisor}} {WebTeller {Bob}}

The following example command lists the users assigned to the Teller role for the Banking application:

wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/ -roles {Teller}
{Teller {Bob}}

The following example command lists the roles to which the user Bob is assigned:

wscp> SecurityRoleAssignment getUserRoleMapping /EnterpriseApp:Banking/  -users {Bob}
{Teller {Bob}} {WebTeller {Bob}}

The following example command lists the roles defined for the Banking application and the groups assigned to each role:

wscp> SecurityRoleAssignment getGroupRoleMapping /EnterpriseApp:Banking/
{Teller {TellerGroup}} {Clerk {ClerkGroup}} {Supervisor {}}
{WebTeller {TellerGroup}}

The following example command lists the groups assigned to the WebTeller role for the Banking application:

wscp> SecurityRoleAssignment getGroupRoleMapping /EnterpriseApp:Banking/  -roles {WebTeller}
{WebTeller {TellerGroup}}

The following example command lists the special role mappings for the Banking application (that is, whether the role has been assigned to all users or all authenticated users):

wscp> SecurityRoleAssignment getSpecialRoleMapping /EnterpriseApp:Banking/

Return values are:

  • Everyone--All users

  • AllAuthenticatedUsers--All authenticated users

The following example command adds the user Mary to the Teller and WebTeller roles:

wscp> SecurityRoleAssignment addUserRoleMapping /EnterpriseApp:Banking/
-userroles {{Teller Mary} {WebTeller Mary}}

Use the -userroles option to specify which users are added to which roles. Enter either a role-user pair (such as {Teller Mary}) or a list of role-user pairs (such as {{Teller Mary} {WebTeller Mary}}).

The following example command adds the group ClerkGroup to the WebTeller role:

wscp> SecurityRoleAssignment addGroupRoleMapping /EnterpriseApp:Banking/
-grouproles {WebTeller ClerkGroup}

Use the -grouproles option to specify which groups are added to which security roles. Enter either a role-group pair (such as {WebTeller ClerkGroup}) or a list of role-group pairs (such as {{WebTeller ClerkGroup} {WebTeller SupervisorGroup}}).

The following example command adds the special group AllAuthenticatedUsers to the Clerk role:

wscp> SecurityRoleAssignment addSpecialRoleMapping /EnterpriseApp:Banking/
-specialroles {{Clerk AllAuthenticatedUsers} {Teller Everyone}}

Use the -specialroles option to specify which special groups are assigned to which security roles. Enter either a role-special group pair (such as {Clerk AllAuthenticatedUsers}) or a list of role-special group pairs (such as {{Clerk AllAuthenticatedUsers} {Teller Everyone}}).

The following example command deletes the user Bob from the Teller and WebTeller roles:

wscp> SecurityRoleAssignment deleteUserRoleMapping /EnterpriseApp:Banking/
-userroles {{Teller Bob} {WebTeller Bob}}

Use the -userroles option to specify which users are deleted from which roles. Enter either a role-user pair (such as {Teller Bob}) or a list of role-user pairs (such as {{Teller Bob} {WebTeller Bob}}).

The following example command deletes the group ClerkGroup from the WebTeller role:

wscp> SecurityRoleAssignment deleteGroupRoleMapping /EnterpriseApp:Banking/
-grouproles {WebTeller ClerkGroup}

Use the -grouproles option to specify which groups are deleted from which security roles. Enter either a role-group pair (such as {WebTeller ClerkGroup}) or a list of role-group pairs (such as {{WebTeller ClerkGroup} {WebTeller SupervisorGroup}}).

The following example command deletes the special groups AllUsers and AllAuthenticatedUsers from the Clerk role:

wscp> SecurityRoleAssignment deleteSpecialRoleMapping /EnterpriseApp:Banking/ -specialroles {{Clerk AllAuthenticatedUsers} {Clerk Everyone}}

Use the -specialroles option to specify which special groups are deleted from which security roles. Enter either a role-special group pair (such as {Clerk AllAuthenticatedUsers}) or a list of role-special group pairs (such as {{Clerk AllAuthenticatedUsers} {Clerk Everyone}}).

The following example command lists the execution identities and roles that enterprise bean methods run under in the Banking application:

wscp> SecurityRoleAssignment getRunAsToUser /EnterpriseApp:Banking/
{Supervisor {Supervisor Bob}}

The following example command assigns the execution identity Mary for enterprise bean methods that run under the Supervisor role. A password must also be specified; in this case, the password is marypwd.

wscp> SecurityRoleAssignment setRunAsToUser /EnterpriseApp:Banking/
-runasroles {Supervisor Mary marypwd}
Go to previous article: 6.6.0.2.2.3.11: Setting global security defaults Go to next article: 6.6.0.2.2.3.13: Connecting to remote servers

 

 
Go to previous article: 6.6.0.2.2.3.11: Setting global security defaults Go to next article: 6.6.0.2.2.3.13: Connecting to remote servers