When installing and configuring Business Space powered by WebSphere® for your product, consider security options for how your team works with artifacts in Business Space. You might want to set up application security, which also requires administrative security for the application. Also, to assign a Superuser role for Business Space, you must run a Jython script.
For best results, enable security before you configure Business Space. On the administrative console Secure administration, applications, and infrastructure page, you enable both administrative security and application security. You also designate a user account repository.
What you select for User account repository on the Secure administration, applications, and infrastructure administrative console page affects how the repository user and group attributes are used for your Business Space environment. Consult the following table for how common name, short name, distinguished name, and user ID attributes are used for users and groups.
The search capabilities in Business Space use short name, common name, and user ID to search for users. A user account that has at least one of these attributes defined is found in the search results. If a user has none of the attributes defined, an appropriate mapping of an equivalent attribute to one of the attributes is required. Map the attributes by configuring the Standalone LDAP registry or the Federated repositories on the Secure administration, applications, and infrastructure administrative console page. For more information about how to configure your specific type of repository, see Selecting a registry or repository in the WebSphere Application Server documentation.
User account repository | Type of repository object field | Displayed on Business Space welcome page | Displayed for ownership of spaces | Displayed in search results |
---|---|---|---|---|
Federated repositories (Virtual Member Manager, or VMM) | user | User ID (UID) |
Distinguished name (DN) is used for space and page access control lists (ACLs). A DN is always generated by the registry. Common name (CN) and Short name (SN) are required for space and page ownership to be displayed properly. Format = CN SN (concatenated). |
CN and SN Format = CN SN (concatenated). UID is required for user search to work properly. However, a user with no uid= attribute can log in and use Business Space. |
Federated repositories (VMM) | group | Not applicable |
Not applicable |
CN is required. |
Standalone LDAP | user | UID, if available |
DN is used for space and page ownership and ACLs, for example: mail=email.id @domain.com, cn=realm,o=Org. A DN is always generated by the registry. CN and SN are required for space and page ownership to be displayed properly. Format = CN SN (concatenated). |
CN and SN Format = CN SN (concatenated). UID is required for user search to work properly. However, a user with no uid= attribute can log in and use Business Space. |
Standalone LDAP | group | Not applicable |
Not applicable |
CN is required. |
Local Operating System | user | UID |
If a name and password are defined in the operating system registry: UID If a name, password, and full name (FN) are defined in the operating system registry: computer_name\ user_full_name |
If a name and password are defined in the operating system registry: UID If a name, password, and FN are defined in the operating system registry: computer_name\ user_full_name |
Local Operating System | group | Not applicable |
Not applicable |
computer_name\ group_name is required. |
If you are using IBM® Tivoli® Access Manager WebSEAL and want to use it with your Business Space environment, you must complete additional configuration steps. Configure Tivoli Access Manager security with an external Java™ Authorization Contract for Containers (JACC) provider, configure WebSEAL with Tivoli Access Manager, configure WebSEAL with your product application server, and configure host junctions for your environment.
To set up users in the Business Space environment as administrators, you run a script to assign the Business Space superuser role.