This article explains how to assign users to the RunAs roles for your application.
When a user ID and password is assigned to a RunAs role, validation occurs using the current active user registry that is configured. By default, the local OS user registry is set as the active user registry. Therefore, when an application is installed and security is disabled on the server, the local OS user registry is used to validate the user ID and password that is assigned to the RunAs Role. If the intended user registry for the application is not local OS, the validation fails. Therefore, map RunAs roles to users when the security is enabled on the server. However, if the active user registry and the intended user registry after enabling security are the same, you can assign the user to a RunAs role when security is disabled.
If the Everyone or All Authenticated special subjects are assigned to a role, validation does not occur for that role.
Validation is done every time you click Apply in this panel or when you click OK in the Map security roles to users/groups panel. The check verifies that all the users in all the RunAs roles do exist directly or indirectly through a group in those roles in the Map security roles to users/groups panel. If a role is assigned both a user and a group to which that user belongs, you can delete either the user or the group from the Map security roles to users/groups panel.
If the RunAs role user belongs to a group and if that group is assigned to that role, make sure that the assignment of this group to the role is done through the administrative console and not through an assembly tool or other method. When using the administrative console, the full name of the group is used (for example, hostname\groupName in Windows systems and distinguished names (DN) in Lightweight Directory Access Protocol (LDAP)). During the check, all the groups to which the RunAs role user belongs are obtained from the user registry. Because the list of groups that are obtained from the user registry are the full names of the groups, the check works correctly. If the short name of a group is entered using an assembly tool, for example group1 instead of CN=group1, o=myCompany.com, this check fails.
These steps are common to both installing an application and modifying an existing application. If the application contains RunAs roles, you see the Map RunAs roles to users link during application installation and also during managing applications as a link in the Additional properties section.
If you manage applications and modify the RunAs roles to users mapping, make sure you save, stop, and restart the application so that the changes become effective. Try accessing your Java 2 Platform, Enterprise Edition (J2EE) resources to verify that the new changes are in effect.
In this information ...Subtopics
Related tasks
| IBM Redbooks, demos, education, and more(Index) |