The role-based policy framework parameters
are located in the Java Authorization Contract for Containers (JACC) configuration
file and in the authorization configuration file. They are set at the time
of JACC provider configuration and authorization server configuration. The
role-based policy framework settings for the authorization table and the JACC
provider can be modified separately for each WebSphere Application Server
instance. The name of the configuration file generated from the authorization
table is, amwas.node_server.authztable.properties. The name
of the configuration file generated from the JACC provider is, amwas.node_server.amjacc.properties.
Both files are stored on the WebSphere Application Server install_dir/profiles/profile_name/etc/tam directory.
It is very unlikely that you will need to change these properties. The properties
are described here for reference:
Supported properties include:
- com.tivoli.pd.as.rbpf.AMAction=i
- This property is used to signify that a user is granted access to a role.
This value is added to a Tivoli Access Manager access control list (ACL).
It places invoke access on roles for users and groups.
- com.tivoli.pd.as.rbpf.AMActionGroup=WebAppServer
- This property sets the Tivoli Access Manager action group that serves
as a container for the action specified by the com.tivoli.pd.as.rbpf.AMAction property.
The permission set in com.tivoli.pd.as.rbpf.AMAction goes into this
action group.
- com.tivoli.pd.as.rbpf.PosRoot=WebAppServer
- This property is used to determine where roles are stored in the protected
object space.
- com.tivoli.pd.as.rbpf.ProductId=deployedResources
- This property specifies the location under the root location (specified
in the posroot property) to separate other products in the protected object
space. Thus, embedded Tivoli Access Manager objects are found in the /WebAppServer/deployedResources directory
and say AMWLS is in the /WebAppServer/WLS directory. The default
value is deployedResources.
- com.tivoli.pd.as.rbpf.ResourceContainerName=Resources
- This property specifies the Tivoli Access Manager object space container
name for the protected resources. The default location is the /WebAppServer/deployedResources/Resources directory.
- com.tivoli.pd.as.rbpf.RoleContainerName=Roles
- This property specifies the Tivoli Access Manager protected object space
container name for the security roles. The default location is the /WebAppServer/deployedResources/Roles directory.
The previous settings cannot be changed after configuration.
If any of these properties require changing it should be done before configuration
of the nodes in the cell. Changes need to be made in the template properties
file before any configuration actions are performed. Properties changed after
configuration will cause access decisions to fail.