You can use fine-grained administrative security in heterogeneous
or single-server environments. This capability enables you to use
fine-grained administrative security for nodes that were created on
different versions of the product, and applications that are grouped
and placed in different authorization groups.
Fine-grained administrative security in a heterogeneous
environment
Fine-grained
administrative security in a heterogeneous environment has the following
requirements:
- Only nodes that are running WebSphere® Application
Server Version 8.5 can be
part of an administrative authorization group.
- Only servers that are running in a WebSphere Application
Server Version 8.5 node can
be part of an administrative authorization group.
- Only applications that are targeted on servers running on WebSphere Application Server Version 8.5 can be part of an
administrative authorization group.
- If a cluster spans nodes of multiple releases, it cannot be part
of an administrative authorization group.
- If a cluster spans nodes of multiple releases, none of its members
can be part of an administrative authorization group.
- If an application is targeted on a cluster that spans multiple
releases, that application cannot be part of an administrative authorization
group.
Fine-grained administrative security in a single-server
environment
You can also use fine-grained administrative
security in a single-server environment. This capability means that
you can group various applications in the single server, and place
them in different authorization groups. Therefore, different authorization
constraints might exist for different applications.
Life cycle of fine-grained administrative resource
An
administrative resource that was once part of an authorization group
continues to be part of that authorization group until one of the
following events occurs:
- The administrative resource is removed from the authorization
group. In this instance, the administrative resource belongs to the
cell-level authorization group.
- The administrative resource is removed from the configuration.
In this instance, the administrative resource does not exist in the
configuration, but still exists in the authorization group. Remove
this administrative resource from the authorization group.
After the administrative resource is removed from the
authorization group, the administrative authorizer runtime must be
notified by using the AuthorizationManager refreshAll MBean method.
The refreshAll command
must be invoked after AdminConfig.save() and sync nodes. For example:
JACL:
// get AuthorizationGroup Mbean
wsadmin> set agBean [$AdminControl queryNames
type=AuthorizationGroupManager,process=dmgr,*]
wsadmin> $AdminControl invoke &agBean refreshAll
JYTHON:
// get AuthorizationGroup Mbean
wsadmin> set agBean
AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*')
wsadmin> AdminControl.invoke(agBean, 'refreshAll')
The
server restart is no longer needed.
Each application
server in the cell will be refreshed automatically when the refreshAll command
is issued to the AuthorizationGroupManager MBean in the deployment
manager or an administrative agent. All registered servers will be
notified.