You can secure the planejador de tarefa using
roles and groups. A user can then act on a job if the user and the
job are members of the same group and the user role permits the action.
Before you begin
Start the deployment manager and all node agents.
About this task
Enable
WebSphere® Application Server global
security. Configure the user registry bridge for federated repositories.
Install and configure a VMM SAF mapping module and add the module
to three login modules. Then use RACF® to
create a group and add a user to the group. Assign a group to a job.
Define EJBROLE profiles for the lradmin and lrsubmitter roles.
Procedure
- Enable global security.
Read the section
on enabling security in the
WebSphere Application Server documentation
and follow the directions. On the Global Security panels, ensure that
you select the following options.
- Enable administrative security and Enable
application security
- Federated repositories for Available
realm definitions
- Enable SAF Delegation for Authorization
provider
- Configure the user registry bridge for federated repositories.
Read the section on configuring the user registry bridge
for federated repositories using wsadmin scripting in the WebSphere Application Server documentation
and follow the directions.
- Install and configure the SampleVMMSAFMappingModule module.
Read the section on installing and configuring a custom System
Authorization Facility mapping module for the product and follow the
directions. You add the module to the WEB_INBOUND, RMI_INBOUND, and
DEFAULT login modules.
- Synchronize your changes and restart the cell.
- Create a group and add a user to the group.
Read
the information about creating a group and adding a user to the group
in the RACF user's guide, Security Server RACF General
User's Guide.
- Set the custom property that indicates which
policy the batch environment uses.
- Expand .
- Under Additional Properties, click .
- In the Name field, type JOB_SECURITY_POLICY,
and in the Value field, type GROUP.
- Click OK.
- Assign a group to a job.
A job belongs to
a user group and an administrative group. If the JOB_SECURITY_ADMIN_GROUP
variable is not defined, the job scheduler automatically assigns the
administrative group to each job.
- Define EJBROLE profiles for the lradmin and lrsubmitter
roles.
If you use System Authorization Facility (SAF)
EJBROLE profiles on the z/OS® operating
system to administer role-based security, define EJBROLE profiles
for the lradmin and lrsubmitter roles. Permit these roles to the appropriate
SAF user IDs for batch job administrators and submitters.
Results
You created a group and assigned a user to the group. You
also permitted the user ID to the appropriate role so that the user
can manage jobs if the role permits the actions.
What to do next
Manage jobs using group and role security.
- Submit the job.
- Have the user that you created in a previous step act on the job,
such as by viewing the job log.