This topic discusses the default managed bean (MBean) security policy. In most cases, MBean developers do not need to specify a security policy.
<MBean type="ConfigRepository"
version="5.0"
platform="common"
description="Management interface for the configuration repository."
configureMBean="true">
<MBean type="EJBModule" j2eeType="EJBModule"
version="5.0"
platform="dynamicproxy"
resourceIdentifierKey="Application"
resourceType="Application"
deployerMBean="true"
description="Management interface for the EJBModule component.">
WebSphere® Application Server extended role-based access control supports role inheritance. Five administrative roles of administrator, configurator, operator, deployer, and monitor exist. The monitor role is the least privileged administrative role. Users that are granted the monitor role can view the WebSphere Application Server configuration and the runtime status, but cannot make any changes. The other administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.
The configurator role has permission to modify WebSphere Application Server configuration data. The operator role has permission to change the runtime state, such as the start and stop of administrative resources. A configurator role cannot change the runtime status and conversely an operator role cannot change the WebSphere Application Server configuration. The administrator role includes configurator and operator role, but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the administrative security configuration. A simple picture shows the administrative role inheritance relationship. The deployer role is a combination of the configurator and operator roles for application management. The deployer role has both configurator and operator permission for applications. A diagram shows the administrative role inheritance relationship.
A configuration MBean method that has an impact value of INFO requires the monitor role. A configuration MBean method that has an impact value of ACTION requires the configurator role. A deployer MBean method that has an impact value of INFO requires the monitor role. A deployer MBean method that has an impact value of ACTION requires the deployer role. Because all administrative roles are monitor roles, any administrative role can access configuration MBean methods and deployer MBean methods that have an impact value of INFO. The administrator role is a configurator role and has access to the configuration MBean methods that have an impact value of ACTION.
The default security policy for the configuration MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X |
The default security policy for the operation MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X |
The default security policy for the deployer MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X | X |
If an MBean has both the configureMBean attribute and the deployerMBean attribute set to true, the required role for all actions is either configurator or monitor. No such MBean is presently defined in the system.