Fine-grained administrative security can be used in heterogeneous or single-server environments with some restrictions.
In WebSphere Application Server Version 6.0, heterogeneous systems are supported. Specifically, a deployment manager node can run in WebSphere Application Server Version 6.0, some nodes can run WebSphere Application Server Version 6.0, and other nodes can run WebSphere Application Server Version 5.x. In WebSphere Application Server Version 6.1, nodes are available for WebSphere Application Server Versions 5.x, 6.0, and Version 6.1.
Because all of the configurations that are done in deployment manager node are always of WebSphere Application Server Version 6.1 or higher, fine-grained administrative security can be enforced when configuring resources that belong to earlier releases. However, run-time code for versions lower than Version 6.1 cannot enforce fine-grained administrative security. Therefore, any resource instance that is not part of a WebSphere Application Server Version 6.1 node cannot be added to an authorization group.
You can also use fine-grained administrative security in a single-server environment. Various applications in the single server can be grouped and placed in different authorization groups. Therefore, different authorization constraints might exist for different applications.
After the administrative resource is removed from the authorization group, the administrative authorizer runtime must be notified by using the AuthorizationManager refreshAll MBean method.
The refreshAll command must be invoked after AdminConfig.save() and sync nodes. For example:
// get AuthorizationGroup Mbean wsadmin> set agBean [$AdminControl queryNames type=AuthorizationGroupManager,process=dmgr,*] wsadmin> $AdminControl invoke &agBean refreshAll
// get AuthorizationGroup Mbean wsadmin> set agBean AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*') wsadmin> AdminControl.invoke(agBean, 'refreshAll')
The server restart is no longer needed.
Each application server in the cell will be refreshed automatically when the refreshAll command is issued to the AuthorizationGroupManager MBean in the deployment manager or an administrative agent. All registered servers will be notified.