WebSphere Enterprise Service Bus, Version 6.2.0 Operating Systems: AIX, HP-UX, i5/OS, Linux, Solaris, Windows


Administrative security roles

Several administrative security roles are provided as part of the WebSphere® Process Server installation.

There are seven roles provided as part of the administrative console. These roles grant permission to ranges of functionality on the administrative console. When administrative security is enabled, a user must be mapped to one of these seven roles in order to access the administrative console.

The first user to log in to the server after installation is added to the administrator role.

Table 1. Administrative security roles
Administrative security role Description
Monitor A member of the monitor role can view the WebSphere Process Server configuration and the current state of the server.
Configurator A member of the configurator role can edit the WebSphere Process Server configuration.
Operator A member of the operator role has monitor privileges, plus the ability to modify the runtime state (that is, start and stop the server).
Administrator The administrator role is a combination of configurator and operator roles plus additional privileges granted solely to the administrator role. Examples include:
  • Modifying the server user ID and password
  • Mapping users and groups to the administrator role
The administrator also has the permission required to access sensitive information, such as:
  • LTPA password
  • keys
Adminsecuritymanager Only users who are granted this role can map users to administrative roles. Also, when fine-grained administrative security is used, only users who are granted this role can manage authorization groups. See Administrative roles for more information.
Deployer Users who are granted this role can perform both configuration actions and runtime operations on applications.
iscadmins This role is only available for administrative console users and not for wsadmin users. Users who are granted this role have administrator privileges for managing users and groups in the federated repositories. For example, a user of the iscadmins role can complete the following tasks:
  • Create, update, or delete users in the federated repositories configuration
  • Create, update, or delete groups in the federated repositories configuration

The server ID that is specified when you enable administrative security is automatically mapped to the administrator role. Users or groups can be added to and removed from the administrative roles at any time through the WebSphere Process Server administrative console. However, a server restart is required for the changes to take effect. A best practice is to map a group or groups, rather than specific users, to administrative roles because it is more flexible and easier to administer. By mapping a group to an administrative role, adding or removing users to or from the group occurs outside of WebSphere Process Server and does not require a server restart for the change to take effect.

The failed event manager can be operated by any user granted either the administrator or the operator role.

Selectors can be configured by any user granted either the administrator or the configurator role

In addition to mapping users or groups, a special-subject can also be mapped to the administrative roles. A special-subject is a generalization of a particular class of users.

concept Concept topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.doc/doc/csec_administrativeroles.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).