Virtual member manager provides role based security for both changing the configuration and using the runtime APIs.
The virtual member manager configuration can be changed from the WebSphere Administrative Console, the wsadmin commands, and scripting. Only a user assigned the WebSphere Application Server Administrator role can change the configuration from the console or by using the commands. The wsadmin commands can also be used in local mode during WebSphere Application Server installation.
Account-Owner-Role SEARCH Entity/RolePlayer/Party/LoginAccount/* UPDATE Entity/RolePlayer/Party/LoginAccount/* WRITE Entity/RolePlayer/Party/LoginAccount/* sensitive READ Entity/RolePlayer/Party/LoginAccount/* unchecked WRITE Entity/RolePlayer/Party/LoginAccount/* unchecked All Authenticated Users Account-Owner-Role {Condition: OWNERSHIP == true}
If you want to enable users who are not assigned the WebSphere Application Server Administrator role to access virtual member manager methods, you can assign the user or group one of the following predefined virtual member manager roles.
The predefined virtual member manager roles and their corresponding permissions are listed in the following table:
Role name | Method permission |
---|---|
IdMgrAdmin (same authority as WAS Administrator) | create |
IdMgrWriter | create |
IdMgrReader | search |
You can map a user or a group to only one role. You can also map all logged-in users to a specific role, using a special subject with the value ALLAUTHENTICATED instead of the group ID. In case multiple roles are granted to a user through group membership, there is no specific order of precedence in which the roles are applied. However, as each role is a subset or superset of the other, there are no conflicting roles. For example, IdMgrWriter has IdMgrReader and IdMgrWriter permissions, and IdMgrAdmin has IdMgrReader, IdMgrWriter, and IdMgrAdmin permissions.
For information on how to assign users or groups to the predefined virtual member manager roles, read about the mapIdMgrUserToRole, mapIdMgrGroupToRole, removeIdMgrUsersFromRole, removeIdMgrGroupsFromRole, listIdMgrUsersForRoles, and listIdMgrGroupsForRoles commands in the topic, IdMgrConfig command group for the AdminTask object in the WebSphere Application Server information center.