There are two choices you have when assigning roles: WebSphere
Application Server authorization, which uses the Security role
to user/group mapping panel of the administrative console or the
system authorization facility (SAF) for role-based authorization,
which uses SAF authorization for Java 2 Platform, Enterprise Edition
(J2EE) roles. This topic only describes using the Security role
to user/group mapping panel of the administrative console (WebSphere
Application Server authorization for J2EE roles) to assign users and
groups to roles.
Before you begin
Before you perform this task:
- Secure the Web applications and Enterprise JavaBeans (EJB) applications
where new roles are created and assigned to Web and enterprise bean
resources.
- Create all the roles in your application.
- Verify that you have properly configured the user registry that
contains the users that you want to assign. It is preferable to have
security turned on with the user registry of your choice before beginning
this process.
- Make sure that if you change anything in the security configuration
you save the configuration and restart the server before the changes
become effective. For example, enable security or change the user
registry.
About this task
These steps are common for both installing an
application and modifying an existing application. If the application
contains roles, you see the Security role to user/group mapping link
during application installation and also during application management,
as a link in the Additional properties section.
Procedure
- Access the administrative console.
Type http://localhost:port_number/ibm/console in a Web browser.
- Click Applications > Enterprise applications > application_name .
- Under Detail properties, click Security
role to user/group mapping. A list of all the roles
that belong to this application is displayed. If the roles already
have users or All Authentication or Everyone special subjects assigned,
they display here.
- To assign the special subjects, select either the Everyone or the All Authenticated option for the appropriate roles.
- To assign users or groups, select the role. You can select multiple roles at the same time, if the same users
or groups are assigned to all the roles.
- Click Look up users or Look up groups.
- Get the appropriate users and groups from the user registry
by completing the Limit and the Search string fields and by clicking Search. The Limit field limits the number of users
that are obtained and displayed from the user registry. The pattern
is a searchable pattern matching one or more users and groups. For
example, user* lists users like user1, user2. A pattern of
asterisk (*) indicates all users or groups.
Use the limit and the
search strings cautiously so as not to overwhelm the user registry.
When you use large user registries such as Lightweight Directory Access
Protocol (LDAP) where information on thousands of users and groups
resides, a search for a large number of users or groups can make the
system slow and can make it fail. When more entries exist than requests
for entries, a message displays on top of the panel. You can refine
your search until you have the required list.
If the search
string you are using has no matches, a NULL error message is displayed.
This message is informational and does not necessarily indicate an
error, as it is valid to have no entries matching your selected criteria.
- Select the users and groups to include as members of these
roles from the Available field and click >> to add them
to the roles.
- To remove existing users and groups, select them from the Selected field and click <<. When removing
existing users and groups from roles, use caution if those same roles
are used as RunAs roles.
For example, if the user1 user is assigned
to the role1 RunAs role and you try to remove the user1 user from
the role1 role, the administrative console validation does not delete
the user. A user can only be part of a RunAs role if the user is already
in a role either directly or indirectly through a group. In this case,
the user1 user is in the role1 role. For more information on the validation
checks that are performed between RunAs role mapping and user and
group mapping to roles, see Assigning users to RunAs roles.
- Click OK. If any validation problems
exist between the role assignments and the RunAs role assignments,
the changes are not committed and an error message that indicates
the problem displays at the top of the panel. If a problem exists,
make sure that the user in the RunAs role is also a member of the
regular role. If the regular role contains a group that contains
the user in the RunAs role, make sure that the group is assigned to
the role using the administrative console. Follow steps 4 and 5. Avoid
using the Application Server Toolkit or any other manual process where
the complete name of the group, host name, group name, or distinguished
name (DN) is not used.
Results
The user and group information is added to the binding file
in the application. This information is used later for authorization
purposes.
What to do next
This task is required to assign users and groups to roles,
which enables the correct users and groups to access a secured application.
If you are installing an application, complete your installation.
After the application is installed and running you can access your
resources according to the user and group mapping that you did in
this task. If you manage applications and modify the users and groups
to role mapping, make sure you save, stop, and restart the application
so that the changes become effective. Try accessing the J2EE resources
in the application to verify that the changes are effective.
Note: Depending upon how your active user registry is configured,
the search results of security user or group role mappings are displayed
in different formats. With federated repository, LDAP, file-based
and custom registries can be used. WebSphere Application Server can
uniquely identify users from various registries by the user names
listed in the table.