You can assign users and groups to administrative roles
to identify users who can perform WebSphere® Application
Server administrative functions.
Before you begin
Administrative roles enable you to control access to WebSphere Application Server administrative
functions. Refer to the descriptions of these roles in Administrative
roles.
- Using System Authorization Facility (SAF) authorization to
control access to administrative roles: When the com.ibm.security.SAF.authorization
is set to true, SAF EJBROLE profiles are used to control
access to administrative roles. See System Authorization Facility for role-based authorization for
more information.
- If you select Use a z/OS® security product during
profile creation in the z/OS Profile Management Tool, and
you additionally specify a value for the SAF profile prefix (previously
referred to as the z/OS security domain), the following
administrative roles are defined by the customization jobs. The SAF
profile prefix can be specified during profile creation, and the configGroup
represents the WebSphere Application Server configuration
group name that you chose.
RDEFINE EJBROLE (optionalSAFProfilePrefix.)administrator UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)monitor UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)configurator UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)operator UACC(NONE)
RDEFINE EJBROLE (optionalSAFProfilePrefix.)auditor UACC(NONE)
PERMIT (optionalSAFProfilePrefix.)administrator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)monitor CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)configurator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)operator CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
PERMIT (optionalSAFProfilePrefix.)auditor CLASS(EJBROLE) ID(configGroup) ACCESS(READ)
- If you decide at a later date to turn on SAF authorization, you
must issue these Resource Access Control Facility (RACF)
commands to enable proper WebSphere Application Server
operation. You can give a user access to all administrative functions
by connecting to the configuration group:
CONNECT mvsid GROUP(configGroup)
- You can also assign individual users to specific roles by issuing
the following RACF command:
PERMIT (optionalSAFProfilePrefix.)rolename CLASS(EJBROLE) ID(mvsid) ACCESS(READ)
- You do not need to restart the server for SAF EJBROLE changes
to take effect. However, after the SAF changes are made, you must
issue the following RACF command, (or the equivalent
for your security system), to refresh the security tables:
SETROPTS RACLIST(EJBROLE) REFRESH
- Using WebSphere Authorization to control access
to administrative roles: When com.ibm.security.SAF.authorization
is set to false, WebSphere Application Server
authorization and the administrative console are used to control access
to administrative roles.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
- Before you assign users to administrative roles, you must set
up your user registry. For information on the supported registry types,
see Selecting a registry or repository.
- The following steps are needed to assign users to administrative
roles.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
About this task
You use the administrative console
to assign users and groups to administrative roles and to identify
users who can perform WebSphere Application Server
administrative functions. In the administrative console,
Procedure
- Click Users and Groups. Click either Administrative
User Roles or Administrative Group Roles.
- To add a user or a group, click Add on the Console
users or Console groups panel.
- To add a new administrator user, follow the instructions
on the page to specify a user, and select the Administrator role.
Once the user is added to the Mapped to role list, click OK.
The specified user is mapped to the security role.
- To add a new administrative group, follow the instructions
on the page to specify either a group name or a Special subject, highlight
the Administrator role, and click OK. The
specified group or special subject is mapped to the security role.
- To remove a user or group assignment, click Remove on
the Console Users or the Console Groups panel. On the Console Users
or the Console Groups panel, select the check box of the user or group
to remove and click OK.
- To manage the set of users or groups to display, click Show
filter function on the User Roles or Group Roles panel. In the Search
term(s) box, type a value, then click Go. For example,
user* displays only users with the user prefix.
- After the modifications are complete, click Save to
save the mappings.
- Restart the application server for changes to take effect.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Shut down the nodes,
node agents, and the deployment manager.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Verify that Java processes are not running. If
they are running, discontinue these processes.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Restart the deployment
manager.
Resynchronize the nodes. To resynchronize the nodes, run the install_root/bin/syncNode or
the install_root/bin/syncNode.sh command for each
node. Use the synchNode command.
Resynchronize the nodes. To resynchronize the nodes, run the install_root/bin/syncNode script
from the Qshell command line for each node. Use the synchNode command.
Restart the nodes. To restart the nodes, run the install_root/bin/startNode or
the install_root/bin/startNode.sh command for each
node. Use the startNode command.
Restart the nodes. To restart the nodes, run the install_root/bin/startNode script
from the Qshell command line for each node. Use the startNode command.
![[AIX Solaris HP-UX Linux Windows]](../images/dist.gif)
Start any clusters,
if applicable.
What to do next
After you assign users to administrative roles, you
must restart the Deployment Manager for the new roles to take effect.
However, the administrative resources are not protected until you
enable security.