Fine-grained administrative security in heterogeneous and single-server environments

Fine-grained administrative security can be used in heterogeneous or single-server environments with some restrictions.

Fine-grained administrative security in a heterogeneous environment

In WebSphere Application Server Version 6.0, heterogeneous systems are supported. Specifically, a deployment manager node can run in WebSphere Application Server Version 6.0, some nodes can run WebSphere Application Server Version 6.0, and other nodes can run WebSphere Application Server Version 5.x. In WebSphere Application Server Version 6.1, nodes are available for WebSphere Application Server Versions 5.x, 6.0, and Version 6.1.

Because all of the configurations that are done in deployment manager node are always of WebSphere Application Server Version 6.1 or higher, fine-grained administrative security can be enforced when configuring resources that belong to earlier releases. However, run-time code for versions lower than Version 6.1 cannot enforce fine-grained administrative security. Therefore, any resource instance that is not part of a WebSphere Application Server Version 6.1 node cannot be added to an authorization group.

Fine-grained administrative security in a heterogeneous environment has the following restrictions:
  • Only nodes that are running WebSphere Application Server Version 6.1 can be part of an administrative authorization group.
  • Only servers that are running in a WebSphere Application Server Version 6.1 node can be part of an administrative authorization group.
  • Only applications that are targeted on servers running on WebSphere Application Server Version 6.1 can be part of an administrative authorization group.
  • If a cluster spans nodes of multiple releases, it cannot be part of an administrative authorization group.
  • If a cluster spans nodes of multiple releases, none of its members can be part of an administrative authorization group.
  • If an application is targeted on a cluster that spans multiple releases, that application cannot be part of an administrative authorization group.

Fine-grained administrative security in a single-server environment

You can also use fine-grained administrative security in a single-server environment. Various applications in the single server can be grouped and placed in different authorization groups. Therefore, different authorization constraints might exist for different applications.

Life cycle of fine-grained administrative resource

An administrative resource that was once part of an authorization group continues to be part of that authorization group until one of the following events occurs:
  • The administrative resource is removed from the authorization group. In this instance, the administrative resource belongs to the cell-level authorization group.
  • The administrative resource is removed from the configuration. In this instance, the administrative resource does not exist in the configuration, but still exists in the authorization group. Remove this administrative resource from the authorization group.

After the administrative resource is removed from the authorization group, the administrative authorizer runtime must be notified by using the AuthorizationManager refreshAll MBean method.

The refreshAll command must be invoked after AdminConfig.save() and sync nodes. For example:

[Updated in March 2011] JACL:
// get AuthorizationGroup Mbean
wsadmin> set agBean [$AdminControl queryNames
type=AuthorizationGroupManager,process=dmgr,*]

wsadmin> $AdminControl invoke &agBean refreshAll
[Updated in March 2011]
mar2011
[Updated in March 2011] JYTHON:
// get AuthorizationGroup Mbean
wsadmin> set agBean
AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*')

wsadmin> AdminControl.invoke(agBean, 'refreshAll')
[Updated in March 2011]
mar2011

[Updated in March 2011] The server restart is no longer needed. [Updated in March 2011]

mar2011

Each application server in the cell will be refreshed automatically when the refreshAll command is issued to the AuthorizationGroupManager MBean in the deployment manager or an administrative agent. All registered servers will be notified.




Related concepts
[z/OS] System Authorization Facility for fine-grained administrative authorization
Fine-grained administrative security
Role-based authorization
Related reference
Administrative roles
Example: Using fine-grained security
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=csec_finehet_admsec
File name: csec_finehet_admsec.html