Virtual member manager provides role
based security for both changing the configuration and using the runtime APIs.
Configuration security
The virtual member manager configuration
can be changed from the WebSphere Administrative Console, the wsadmin commands,
and scripting. Only a user assigned the WebSphere Application Server Administrator
role can change the configuration from the console or by using the commands.
The wsadmin commands can also be used in local mode during WebSphere Application
Server installation.
Runtime security
During
runtime operations, virtual member manager supports only two roles:
- WebSphere Application Server Administrator
- A user who authenticates as the WebSphere Application Server Administrator,
may perform any virtual member manager function against any virtual member
manager object.
- Account Owner role
- The Account Owner role is virtual member manager specific and not a J2EE
role. If the authenticated user is the owner of the registry object, the user
is programmatically assigned the Account Owner role. The authenticated user
can change its own password and search on itself only. The user is not authorized
to make any other modifications, nor can the user search, view, create, or
delete any objects in the repositories.
Account-Owner-Role
SEARCH Entity/RolePlayer/Party/LoginAccount/*
UPDATE Entity/RolePlayer/Party/LoginAccount/*
WRITE Entity/RolePlayer/Party/LoginAccount/* sensitive
READ Entity/RolePlayer/Party/LoginAccount/* unchecked
WRITE Entity/RolePlayer/Party/LoginAccount/* unchecked
All Authenticated Users
Account-Owner-Role {Condition: OWNERSHIP == true}
The virtual member manager runtime API that WebSphere
Application Server needs for authentication, does not have any access control
applied. The effect is twofold:
- Prevents circular dependencies between WebSphere Application Server security
and virtual member manager during authentication to WebSphere Application
Server
- Provides quick authentications