Default MBean security policy

This topic discusses the default managed bean (MBean) security policy. In most cases, MBean developers do not need to specify a security policy.

Two types of MBeans exist for the default MBean security policy. One is a configuration type and the other is a runtime type. An optional attribute in the MBean descriptor XML file defines the type of MBean.

The ConfigRepository MBean is an example of one of a few configuration types. In the configRepository.xml descriptor file, the configureMBean = "true" attribute indicates that the MBean is a configuration type.
<MBean type="ConfigRepository" 
  version="5.0"
  platform="common"
  description="Management interface for the configuration repository."
  configureMBean="true">

WebSphere Application Server extended role-based access control supports role inheritance. Four administrative roles of administrator, configurator, operator, and monitor exist. Four administrative roles of administrator, configurator, operator, and monitor exist.The monitor role is the least privileged administrative role. Users that are granted the monitor role can view the WebSphere Application Server configuration and the runtime status, but cannot make any changes. The other administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.

The configurator role has permission to modify WebSphere Application Server configuration data. The operator role has permission to change the runtime state, such as the start and stop of administrative resources. A configurator role cannot change the runtime status and conversely an operator role cannot change the WebSphere Application Server configuration. The administrator role includes configurator and operator role, but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the global security configuration. A simple picture shows the administrative role inheritance relationship. A diagram shows the administrative role inheritance relationship.

Administrative security role inheritance relationship

Each MBean method or operation is assigned an impact attribute with a value of either INFO or ACTION. Here are some examples:

A configuration MBean method that has an impact value of INFO requires the monitor role. A configuration MBean method that has an impact value of ACTION requires the configurator role. A deployer MBean method that has an impact value of INFO requires the monitor role. A deployer MBean method that has an impact value of ACTION requires the deployer role. Because all administrative roles are monitor roles, any administrative role can access configuration MBean methods that have an impact value of INFO. The administrator role is a configurator role and has access to the configuration MBean methods that have an impact value of ACTION.

The default security policy for the configuration MBean is summarized in the following table:

Method impact Monitor role Operator role Configurator role Administrator role
INFO X X X X
ACTION     X X

The default security policy for the operation MBean is summarized in the following table:

Method impact Monitor role Operator role Configurator role Administrator role
INFO X X X X
ACTION   X   X



Related concepts
Administrative security
Related tasks
Defining an explicit MBean security policy
Concept topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 7:21:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-dist&topic=CjmxAdminDefmbsec
File name: cjmx_admin_defmbsec.html