Job manager security

In a flexible management environment, a user ID must have the required authorization to use the job manager and to work with registered nodes.

Required security roles

You need the following roles to use the job manager:

Table 1. Required security roles for job manager tasks. Roles include administrator, operator, configurator, and monitor.
Administrative tasks Required security roles
Register or unregister with the job manager administrator
Submit a job operator
Change the job manager configuration configurator
Read the job manager configuration or job history monitor

If base (stand-alone) application server nodes that are managed by an administrative agent are registered to a job manager, you need the following roles to use the administrative agent and manage its nodes:

Table 2. Required security roles for administrative agent tasks. Roles include administrator and roles required for the operation or node.
Administrative tasks Required security roles
Register or unregister a base (stand-alone) node with the administrative agent administrator
Work with the administrative agent: Administrative roles required for the operation being performed
Work with the administrative subsystem, such as registered nodes Administrative roles required for the registered base node

When a job runs on a registered stand-alone application server node or deployment manager, the user must have privileges that include the role required for that job. For example, a job to create an application server requires a minimum configurator role on either the base node or WebSphere® Application Server, Network Deployment cell.

Basic security configuration

The administrative agent and job manager support two different basic security configurations:

For the administrative agent topology, when a user logs in to the JMX connector port of an administrative subsystem, or chooses the registered node from the administrative console, the authorization table for the base node is used.

For example, suppose User1 is authorized as administrator for the first base node, but is not authorized for the second node. User2 is authorized as configurator for the second node, but is not authorized for the first node. The Same user registry figure illustrates this example:


Same security domain configuration

Further suppose User1 can log in to job manager as an operator with a user name and password. User1 can also log in to the deployment manager as a monitor with a user name and password. The Different user registry figure illustrates this example:


Different security domain configuration

Although User1 has the same user name for both the job manager and the deployment manager, User1 might as likely have different user names and passwords.

Transfer of security information

When the product transfers a job from the job manager to the administrative agent or the deployment manager, the product also transfers security information about the job submitter. This transfer authenticates and authorizes the user while running the job. The following user security information might be passed with a submitted job:

Mixed registries configuration

In a more complex topology, where some cells share the same user registry and some cell do not, the following rules apply:




Related concepts
Job manager
Administrative agent
Related tasks
Administrative roles
Administering nodes remotely using the job manager
Administering jobs in a flexible management environment using wsadmin scripting
Administering nodes and resources
Task overview: Securing resources
Concept topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 5:30:17 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-iseries&topic=cagt_jobmgr_security
File name: cagt_jobmgr_security.html