WebSphere

Setting up security for Business Space

When installing and configuring Business Space powered by WebSphere® for your product, consider security options for how your team works with artifacts in Business Space. You might want to set up application security, which also requires administrative security for the application. Also, to assign a Superuser role for Business Space, you must run a Jython script.

About this task

For best results, enable security before you configure Business Space. On the administrative console Secure administration, applications, and infrastructure page, you enable both administrative security and application security. You also designate a user account repository.

Considerations for using a user account repository with Business Space:
  • Based on the type of LDAP configuration that you are using, your settings can affect your ability to access Business Space correctly. Make sure that the user filters, the group filters, and mapping settings are configured properly. For more information, see Configuring Lightweight Directory Access Protocol search filters in the WebSphere Application Server documentation.
  • Based on the type of federated repository configuration that you are using, your settings can affect your ability to access Business Space correctly. Make sure that the realms are configured properly. For more information, see Managing the realm in a federated repository configuration in the WebSphere Application Server documentation.
  • If you are using a Microsoft® SQL Server database and the Standalone LDAP registry, make sure that the user distinguished name (user DN) does not exceed 131 characters. If any of the user DN entries exceed 131 characters, you must designate the Federated repositories option for the user account repository. When switching between federated repositories and other registries, all the existing spaces, pages are no longer accessible in Business Space and must be created again.
  • If you are using Federated repositories, you have additional capabilities in your widgets and framework, such as enhanced search capabilities. When searching for users to share spaces and pages, the search scope includes e-mail, a full user name, and user ID.

What you select for User account repository on the Secure administration, applications, and infrastructure administrative console page affects how the repository user and group attributes are used for your Business Space environment. Consult the following table for how common name, short name, distinguished name, and user ID attributes are used for users and groups.

The search capabilities in Business Space use short name, common name, and user ID to search for users. A user account that has at least one of these attributes defined is found in the search results. If a user has none of the attributes defined, an appropriate mapping of an equivalent attribute to one of the attributes is required. Map the attributes by configuring the Standalone LDAP registry or the Federated repositories on the Secure administration, applications, and infrastructure administrative console page. For more information about how to configure your specific type of repository, see Selecting a registry or repository in the WebSphere Application Server documentation.

Table 1. User account repository user and group object fields used with Business Space
User account repository Type of repository object field Displayed on Business Space welcome page Displayed for ownership of spaces Displayed in search results
Federated repositories (Virtual Member Manager, or VMM) user

User ID (UID)

Distinguished name (DN) is used for space and page access control lists (ACLs).

A DN is always generated by the registry.

Common name (CN) and Short name (SN) are required for space and page ownership to be displayed properly.

Format = CN SN (concatenated).

CN and SN

Format = CN SN (concatenated).

UID is required for user search to work properly. However, a user with no uid= attribute can log in and use Business Space.

Federated repositories (VMM) group

Not applicable

Not applicable

CN is required.

Standalone LDAP user

UID, if available

DN is used for space and page ownership and ACLs, for example: mail=email.id @domain.com, cn=realm,o=Org.

A DN is always generated by the registry.

CN and SN are required for space and page ownership to be displayed properly.

Format = CN SN (concatenated).

CN and SN

Format = CN SN (concatenated).

UID is required for user search to work properly. However, a user with no uid= attribute can log in and use Business Space.

Standalone LDAP group

Not applicable

Not applicable

CN is required.

Local Operating System user

UID

If a name and password are defined in the operating system registry:

UID

If a name, password, and full name (FN) are defined in the operating system registry:

computer_name\ user_full_name

If a name and password are defined in the operating system registry:

UID

If a name, password, and FN are defined in the operating system registry:

computer_name\ user_full_name

Local Operating System group

Not applicable

Not applicable

computer_name\ group_name is required.

If you are using IBM® Tivoli® Access Manager WebSEAL and want to use it with your Business Space environment, you must complete additional configuration steps. Configure Tivoli Access Manager security with an external Java™ Authorization Contract for Containers (JACC) provider, configure WebSEAL with Tivoli Access Manager, configure WebSEAL with your product application server, and configure host junctions for your environment.

To set up users in the Business Space environment as administrators, you run a script to assign the Business Space superuser role.


task Task topic

Terms of use | Feedback


Timestamp icon Last updated: 22 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic/com.ibm.websphere.wbpm.bspace.config.620.doc/doc/tcfg_bsp_security.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).