This topic describes how to assign users and groups to roles if
you are using WebSphere Application Server authorization for Java 2 Platform,
Enterprise Edition (J2EE) roles.
Before you begin
Before
you perform this task:
- Secure the Web applications and Enterprise JavaBeans (EJB) applications
where new roles are created and assigned to Web and enterprise bean resources.
- Create all the roles in your application.
- Verify that you have properly configured the user registry that contains
the users that you want to assign. It is preferable to have security turned
on with the user registry of your choice before beginning this process.
- Make sure that if you change anything in the security configuration you
save the configuration and restart the server before the changes become effective.
For example, enable security or change the user registry.
Because the default active user registry is Local
OS, it is recommended that you enable security if you want to use the Local
OS user registry to assign users and groups to roles. You can enable security
after the users and groups are assigned in this case. The advantage of enabling
security with the appropriate user registry before proceeding with this task
is that you can validate the security setup, which includes checking the user
registry configuration, and avoid any problems using the registry.
About this task
These steps are common for both installing
an application and modifying an existing application. If the application contains
roles, you see the Map security roles to users and groups link during application
installation and also during application management, as a link in the Additional
properties section.
Procedure
- Access the administrative console.
Type http://localhost:port_number/ibm/console in
a Web browser.
- Click Applications > Enterprise applications > application_name .
- Under Additional properties, click Map
security roles to users/groups. A list of all the roles that
belong to this application is displayed. If the roles already have users or
All Authentication or Everyone special subjects assigned, the roles will display
here.
- To assign the special subjects, select either the Everyone or
the All Authenticated option for the appropriate roles.
- To assign users or groups, select the role. You can
select multiple roles at the same time, if the same users or groups are assigned
to all the roles.
- Click Look up users or Look up groups.
- Get the appropriate users and groups from the user registry by
completing the Limit and the Search string fields and by clicking Search.
The Limit field limits the number of users that are obtained and displayed
from the user registry. The pattern is a searchable pattern matching one or
more users and groups. For example, user* lists users like user1,
user2. A pattern of asterisk (*) indicates all users or groups.
Use the
limit and the search strings cautiously so as not to overwhelm the user registry.
When you use large user registries such as Lightweight Directory Access Protocol
(LDAP) where information on thousands of users and groups resides, a search
for a large number of users or groups can make the system slow and can make
it fail. When more entries exist than requests for entries, a message displays
on top of the panel. You can refine your search until you have the required
list.
- Select the users and groups to include as members of these roles
from the Available field and click >> to add them to the roles.
- To remove existing users and groups, select them from the Selected field
and click <<. When removing existing users and groups
from roles, use caution if those same roles are used as RunAs roles.
For
example, if the user1 user is assigned to the role1 RunAs role and you try
to remove the user1 user from the role1 role, the administrative console validation
does not delete the user. A user can only be part of a RunAs role if the user
is already in a role either directly or indirectly through a group. In this
case, the user1 user is in the role1 role. For more information on the validation
checks that are performed between RunAs role mapping and user and group mapping
to roles, see Assigning users to RunAs roles
.
- Click OK. If any validation problems exist between
the role assignments and the RunAs role assignments, the changes are not committed
and an error message that indicates the problem displays at the top of the
panel. If a problem exists, make sure that the user in the RunAs role is also
a member of the regular role. If the regular role contains a group that contains
the user in the RunAs role, make sure that the group is assigned to the role
using the administrative console. Follow steps 4 and 5. Avoid using the Application
Server Toolkit or any other manual process where the complete name of the
group, host name, group name, or distinguished name (DN) is not used.
Results
The user and group information is added to the binding file in the
application. This information is used later for authorization purposes.
What to do next
This task is required to assign users and groups to roles, which
enables the correct users and groups to access a secured application. If you
are installing an application, complete your installation. After the application
is installed and running you can access your resources according to the user
and group mapping that you did in this task. If you manage applications and
modify the users and groups to role mapping, make sure you save, stop, and
restart the application so that the changes become effective. Try accessing
the J2EE resources in the application to verify that the changes are effective.