Authorizing access to administrative roles

You can assign users and groups to administrative roles to identify users who can perform WebSphere Application Server administrative functions.

Before you begin

Administrative roles enable you to control access to WebSphere Application Server administrative functions. Refer to the descriptions of these roles in Administrative roles.

[z/OS]
  • Using System Authorization Facility (SAF) authorization to control access to administrative roles: When the property, com.ibm.security.SAF.authorization, is set to true, SAF EJBROLE profiles are used to control access to administrative roles and not administrative console settings. See System Authorization Facility for role-based authorization for more information.
  • If you select Use SAF EJBROLE profiles to enforce Java 2 Platform, Enterprise Edition (J2EE) roles during security domain setup in the Customization dialog, the following administrative roles are defined by the customization jobs. The security domain name might be specified during security domain setup, and the configGroup represents the WebSphere Application Server configuration group name that you chose. The SAF role names are case sensitive.
    RDEFINE EJBROLE (optionalSecurityDomainName.)administrator UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)monitor       UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)configurator  UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)operator      UACC(NONE)
    
    PERMIT (optionalSecurityDomainName.)administrator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
    PERMIT (optionalSecurityDomainName.)monitor       CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
    PERMIT (optionalSecurityDomainName.)configurator  CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
    PERMIT (optionalSecurityDomainName.)operator      CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
    
  • If you decide at a later date to turn on SAF authorization, you must issue these Resource Access Control Facility (RACF) commands to enable proper WebSphere Application Server operation. You can give a user access to all administrative functions by connecting to the configuration group:
    CONNECT  mvsid  GROUP(configGroup)
  • You can also assign individual users to specific roles by issuing the following RACF command:
    PERMIT (optionalSecurityDomainName.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
  • You do not need to restart the server for SAF EJBROLE changes to take effect. However, after the SAF changes are made, you must issue the following RACF command, (or the equivalent for your security system), to refresh the security tables:
    SETROPTS RACLIST(EJBROLE)  REFRESH
  • Using WebSphere Authorization to control access to administrative roles: When com.ibm.security.SAF.authorization is set to false, WebSphere Application Server authorization and the administrative console are used to control access to administrative roles.
[AIX HP-UX Linux Solaris Windows]
  • Before you assign users to administrative roles, you must set up your user registry. For information on the supported registry types, see Selecting a user registry.
  • The following steps are needed to assign users to administrative roles.

About this task [AIX HP-UX Linux Solaris Windows]

You use the administrative console to assign users and groups to administrative roles and to identify users who can perform WebSphere Application Server administrative functions. In the administrative console,

Procedure

  1. Click Users and Groups. Click either Administrative User Roles or Administrative Group Roles.
  2. To add a user or a group, click Add on the Console users or Console groups panel.
  3. To add a new administrator user, enter a user identity in the User field, highlight Administrator, and click OK. If there is no validation error, the specified user is displayed with the assigned security role.
  4. To add a new administrative group, either enter a group name in the Specify group field or select EVERYONE or ALL AUTHENTICATED from the Special subject menu, highlight Administrator, and click OK. If no validation error occurs, the specified group or special subject is displayed with the assigned security role.
  5. To remove a user or group assignment, click Remove on the Console Users or the Console Groups panel. On the Console Users or the Console Groups panel, select the check box of the user or group to remove and click OK.
  6. To manage the set of users or groups to display, click Show filter function on the User Roles or Group Roles panel. In the Search term(s) box, type a value, then click Go. For example, user* displays only users with the user prefix.
  7. After the modifications are complete, click Save to save the mappings.
  8. Restart the application server for changes to take effect.
  9. [AIX HP-UX Linux Solaris Windows] Shut down the nodes, node agents, and the deployment manager.
  10. [AIX HP-UX Linux Solaris Windows] Verify that Java processes are not running. If they are running, discontinue these processes.
  11. [AIX HP-UX Linux Solaris Windows] Restart the deployment manager.
  12. [AIX HP-UX Linux Solaris Windows] Resynchronize the nodes. To resynchronize the nodes, run the install_root/bin/syncNode or the install_root/bin/syncNode.sh command for each node. For more information, see the syncNode command in the documentation.
  13. [AIX HP-UX Linux Solaris Windows] Restart the nodes. To restart the nodes, run the install_root/bin/startNode or the install_root/bin/startNode.sh command for each node. For more information, see the startNode command in the documentation.
  14. [AIX HP-UX Linux Solaris Windows] Start any clusters, if applicable.

What to do next [AIX HP-UX Linux Solaris Windows]

[AIX HP-UX Linux Solaris Windows] After you assign users to administrative roles, you must restart the Deployment Manager for the new roles to take effect. However, the administrative resources are not protected until you enable security.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Sep 20, 2010 11:08:29 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=tsec_tselugradro
File name: tsec_tselugradro.html