You can assign users and groups to roles if you are using WebSphere® Application Server authorization
for Java Platform, Enterprise Edition (Java EE) roles.
About this task
These steps are common for both installing
an application and modifying an existing application. If the application
contains roles, you see the Security role to user/group mapping link
during application installation and also during application management,
as a link in the Additional properties section.
- Access the administrative console.
Type http://server_name:port_number/ibm/console in
a web browser.
- Click Applications > Application Types > WebSphere
enterprise applications > application_name .
- Under Detail properties, click Security role to user/group
mapping. A list of all the roles that belong to this
application is displayed. If the roles already have users, or if one
of the special subjects, AllAuthenticatedUsers, AllAuthenticatedInTrustedRealms,
or Everyone is assigned, they display here.
- To assign the special subjects, select either the Everyone or
the All Authenticated in Application's Realm option for the
appropriate roles.
- To assign users or groups, select the role. You
can select multiple roles at the same time, if the same users or groups
are assigned to all the roles.
- Click Look up users or Look up groups.
- You can search for appropriate users
and groups from the user registry or you can add a user/group role
mapping and not perform the search. You activate either of these options
by clicking Search.
See the next steps for
the appropriate option you require.
- Get the appropriate users and groups from the user registry Complete
the Limit and the Search string fields by clicking Search. The Limit field limits the number of users that are obtained
and displayed from the user registry. The pattern is a searchable
pattern matching one or more users and groups. For example, user* lists
users like user1, user2. A pattern of asterisk (*) indicates all users
or groups.
Use the limit and the search strings cautiously so as
not to overwhelm the user registry. When you use large user registries
such as Lightweight Directory Access Protocol (LDAP) where information
on thousands of users and groups resides, a search for a large number
of users or groups can make the system slow and can make it fail.
When more entries exist than requests for entries, a message displays
on top of the panel. You can refine your search until you have the
required list.
If the search string you are using has no matches,
a NULL error message is displayed. This message is informational and
does not necessarily indicate an error, as it is valid to have no
entries matching your selected criteria.
- Add a user/group role mapping
Add
a user/group role mapping by clicking Search. Add IdP realms
to the list of inbound trusted realms. For each Identity provider
that is used with your WebSphere Application Server service provider,
you must grant inbound trust to all the realms that are used by the
identity provider.
- Click .
- Click .
- Fill in the external realm name.
- Click and . Skip remaining steps.
- Select the users and groups to include as members of these
roles from the Available field and click >> to add them
to the roles.
- To remove existing users and groups, select them from the Selected field
and click <<. When removing existing users
and groups from roles, use caution if those same roles are used as
RunAs roles.
For example, if the user1 user is assigned to the role1
RunAs role and you try to remove the user1 user from the role1 role,
the administrative console validation does not delete the user. A
user can only be part of a RunAs role if the user is already in a
role either directly or indirectly through a group. In this case,
the user1 user is in the role1 role. For more information on the validation
checks that are performed between RunAs role mapping and user and
group mapping to roles, see Assigning users to RunAs roles.
- Click OK. If any validation problems
exist between the role assignments and the RunAs role assignments,
the changes are not committed and an error message that indicates
the problem displays at the top of the panel. If a problem exists,
make sure that the user in the RunAs role is also a member of the
regular role. If the regular role contains a group that contains
the user in the RunAs role, make sure that the group is assigned to
the role using the administrative console. Follow steps 4 and 5. Avoid
using any process where the complete name of the group, host name,
group name, or distinguished name (DN) is not used.
What to do next
This task is required to assign users and groups to roles,
which enables the correct users and groups to access a secured application.
If you are installing an application, complete your installation.
After the application is installed and running you can access your
resources according to the user and group mapping that you did in
this task. If you manage applications and modify the users and groups
to role mapping, make sure you save, stop, and restart the application
so that the changes become effective. Try accessing the Java EE resources in the application to verify
that the changes are effective.
Note: Depending upon how your active
user registry is configured, the search results of security user
or group role mappings are displayed in different formats. With federated
repository, LDAP, file-based and custom registries can be used. WebSphere Application Server can uniquely
identify users from various registries by the user names listed in
the table.
Attention: In a distributed environment, when you install WebSphere Application Server with samples,
enable security using federated repositories, and start the server1
server with sample applications, the server might create exceptions.
However, the server starts successfully. The deployment manager did
not create user and group samples when it created the deployment manager
profile. To resolve exceptions caused by the samples failing to load,
create your own sample users and groups. In the administrative console,
do the following:
- Click Users and Groups > Manage Users.
- Create the samples user and the sampadmn group.
The samples user is a member of the sampadmn group.
For more assistance, refer to the "Managing users" help topic
by clicking
More information about this page at the top right
of the Manage Users panel.