WebSphere Application Server Network Deployment, Version 6.0.x     Operating Systems: AIX, HP-UX, Linux, Solaris, Windows

Authorizing access to administrator roles

Before you begin

The task of assigning users and groups to administrative roles is performed to identify users for performing WebSphere Application Server administrative functions. Administrator roles are used to control access to WebSphere Application Server administrative functions. There are four roles: administrator, configurator, operator and monitor.
Monitor role
An individual or group that uses the monitor role has the least amount of privileges. A monitor can complete the following tasks:
  • View the WebSphere Application Server configuration.
  • View the current state of the Application Server.
Configurator role
An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WebSphere Application Server configuration. The configurator can perform all the day-to-day configuration tasks. For example, a configurator can complete the following tasks:
  • Create a resource.
  • Map an application server.
  • Install and uninstall an application.
  • Deploy an application.
  • Assign users and groups-to-role mapping for applications.
  • Set up Java 2 security permissions for applications.
  • Customize the Common Secure Interoperability Version 2 (CSIv2), Security Authentication Service (SAS), and Secure Sockets Layer (SSL) configurations.
Operator role
An individual or group that uses the operator role has monitor privileges plus ability to change the run time state. For example, an operator can complete the following tasks:
  • Stop and start the server.
  • Monitor the server status in the administrative console.
Administrator role
An individual or group that uses the administrator role has the operator and configurator privileges plus additional privileges that are granted solely to the administrator role. For example, an administrator can complete the following tasks:
  • Modify the server user ID and password.
  • Map users and groups to the administrator role.
  • Configure authentication and authorization mechanisms.
  • Enable or disable global security.
  • Enable or disable Java 2 security.
  • Change the Lightweight Third Party Authentication (LTPA) password and generate keys.

Before you assign users to administrative roles, you must set up your user registry, which can be Lightweight Directory Access Protocol (LDAP), local OS, or a custom registry. You can set up your user registries without enabling security.

The following steps are needed to assign users to administrative roles.

Why and when to perform this task

In the administrative console, click System Administration > Console settings. Click either Console Users or Console Groups.

Steps for this task

  1. To add a user or a group, click Add on the Console users or Console groups panel.
  2. To add a new administrator user, enter a user identity in the User field, highlight Administrator, and click OK. If there is no validation error, the specified user is displayed with the assigned security role.
  3. To add a new administrative group, either enter a group name in the Specify group field or select EVERYONE or ALL AUTHENTICATED from the Special subject menu, and click OK. If no validation error occurs, the specified group or special subject is displayed with the assigned security role.
  4. To remove a user or group assignment, click Remove on the Console Users or the Console Groups panel. On the Console Users or the Console Groups panel, select the check box of the user or group to remove and click OK.
  5. To manage the set of users or groups to display, expand the filter folder on the right panel and modify the filter. For example, setting the filter to user*displays only users with the user prefix.
  6. After the modifications are complete, click Save to save the mappings.
  7. Restart the application server for changes to take effect.
  8. Shut down the nodes, node agents, and the deployment manager.
  9. Verify that Java processes are not running. If they are running, discontinue these processes.
  10. Restart the deployment manager.
  11. Resynchronize the nodes. To resynchronize the nodes, run the install_root/bin/syncNode or the install_root/bin/syncNode.sh command for each node. For more information, see the syncNode command in the documentation.
  12. Restart the nodes. To restart the nodes, run the install_root/bin/startNode or the install_root/bin/startNode.sh command for each node. For more information, see the startNode command in the documentation.
  13. Start any clusters, if applicable.

What to do next

After you assign users to administrative roles, you must restart the Deployment Manager for the new roles to take effect. However, the administrative resources are not protected until you enable security.




Sub-topics
Console users settings and CORBA naming service user settings
Console groups and CORBA naming service groups
Assigning users to naming roles
Propagating administrative role changes to Tivoli Access Manager
The migrateEAR utility for Tivoli Access Manager

Related concepts
Role-based authorization
Access control exception
Administrative console and naming service authorization

Related tasks
Assigning users and groups to roles
Assigning users to RunAs roles
Authorizing access to resources

Related reference
syncNode command
startNode command

Task topic    

Terms of Use | Feedback

Last updated: Dec 11, 2005 4:07:15 PM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_tselugradro.html

© Copyright IBM Corporation 2002, 2005. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)