Virtual member manager provides
role based security for both changing the configuration and using
the runtime APIs.
Configuration security
The
virtual member manager configuration can be changed from the WebSphere
Administrative Console, the wsadmin commands, and scripting. Only
a user assigned the WebSphere Application Server Administrator role
can change the configuration from the console or by using the commands.
The wsadmin commands can also be used in local mode during WebSphere
Application Server installation.
Runtime security
During
runtime operations, by default, virtual member manager supports
only two roles:
- WebSphere Application Server Administrator
- A user who authenticates as the WebSphere Application Server Administrator,
may perform any virtual member manager function against any virtual
member manager object.
- Account Owner role
- The Account Owner role is virtual member manager specific and
not a J2EE role. If the authenticated user is the owner of the registry
object, the user is programmatically assigned the Account Owner role.
The authenticated user can change its own password and search on itself
only. The user is not authorized to make any other modifications,
nor can the user search, view, create, or delete any objects in the
repositories.
Account-Owner-Role
SEARCH Entity/RolePlayer/Party/LoginAccount/*
UPDATE Entity/RolePlayer/Party/LoginAccount/*
WRITE Entity/RolePlayer/Party/LoginAccount/* sensitive
READ Entity/RolePlayer/Party/LoginAccount/* unchecked
WRITE Entity/RolePlayer/Party/LoginAccount/* unchecked
All Authenticated Users
Account-Owner-Role {Condition: OWNERSHIP == true}
The virtual member manager runtime API that
WebSphere Application Server needs for authentication, does not have
any access control applied. The effect is twofold:
- Prevents circular dependencies between WebSphere Application Server
security and virtual member manager during authentication to WebSphere
Application Server
- Provides quick authentications