Roles

Roles
Describes the roles defined for IBM Connections users on WAS.
The four roles that are consistent across the applications (person, everyone, reader, and admin) should be consistently set across all of the IBM Connections services.
Table 1. Activities roles

J2EE Role Description
everyone Can access public pages without signing in to the application. There are not many pages that allow everyone to access them. The login page is an example. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
metrics-reader Restricts access to the metrics user interface for the Activities application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person Can read and write to Activities.
reader Used exclusively by the Ajax proxy.
search-admin Used by Search to read public and private data in order to create search indexes.
widget-admin Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Activities widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias. The user mapped to the widget-admin role must also be mapped to the person role.

Table 2. Blogs roles

J2EE Role Description
admin Used by the Blogs administrator to manage the Blogs configuration and content.
everyone Can access public pages without signing in to the application. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
global-moderator Users in this role can moderate content. That is, they can read, edit, delete, reject, approve, quarantine, and dismiss entries and comments, and flag inappropriate content.
metrics-reader Restricts access to the metrics user interface for the Blogs application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person Can read and write to Blogs.
reader Users in this role have read access to Blogs. If this role is mapped to the WAS group "All Authenticated in Application's Realm," then it forces all users to log in before they can use Blogs.
search-admin Used by Search to read public and private data in order to create search indexes.
widget-admin Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Blogs widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias.

Table 3. Bookmarks roles

J2EE Role Description
everyone Can access public pages without signing in to the application. Some examples are the Public Bookmarks and Popular Bookmarks views, as well as the login page. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
metrics-reader Restricts access to the metrics user interface for the Bookmarks application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person Can read and write to Bookmarks.
reader Users in this role have read access to Bookmarks. If this role is mapped to the WAS group "All Authenticated in Application's Realm," then it forces all users to log in before they can use Bookmarks.
search-admin Used by Search to read public and private data in order to create search indexes.

Table 4. Communities roles

J2EE Role Description
admin Not used.
community-creator Users in this role can create communities. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
dsx-admin Used by the Communities directory service extension to read both public and private data. Do not add real users to this role.
everyone Not used.
global-moderator Users in this role can see the moderation link on the navigation bar in communities. To access the moderation user interface they must also be in the Moderation global-moderator role. To actually moderate content, they must also be in the Blogs, Forums, and Files global-moderator roles. For example, for a user to moderate Blogs in a community they must be in the global-moderator roles in Communities, Moderation, and Blogs.
metrics-reader Restricts access to the metrics user interface for the Communities application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person Users in this role can create communities, join a public community, or request to join a moderated community. Communities Atom API creates and updates can only be performed by a user in this role.
reader Users in this role have read access to Communities. If this role is mapped to the WAS group "All Authenticated in Application's Realm," then it forces all users to log in before they can use Communities. This role is also used to restrict access to the Ajax proxy; it is recommended that you set reader to the WAS group "All Authenticated in Application's Realm" in a production environment.
search-admin Used by Search to read public and private data in order to create search indexes.

Table 5. Files roles

J2EE Role Description
admin Administrative role. No default mappings are defined for this role.
everyone This role is mapped to the WAS group "Everyone" by default and should not be modified. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
everyone-authenticated This role is mapped to the WAS group "All Authenticated in Application's Realm" by default and should not be modified.
files-owner Users with this role have all of the privileges of someone in the person role, but can also upload files. Mapped to the WAS group "All Authenticated in Application's Realm" by default. You can apply this role to a subset of people in the person group to limit who can upload files.
global-moderator Users in this role can moderate content. That is, they can read, edit, and delete community files and comments that have already been approved, and can reject or approve community files and comments that are awaiting approval. They can also quarantine content, restore or delete quarantined content, and dismiss flags on content.
metrics-reader Restricts access to the metrics user interface for the Files application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person Users with this role have read and write access to the application. Mapped to the WAS group "All Authenticated in Application's Realm" by default. When this role is mapped to "All Authenticated in Application's Realm," the reader role should be mapped to "Everyone."
reader Users with this role have read-only access to the application. Mapped to the WAS group "Everyone" by default. When this role is mapped to "Everyone," the person role should be mapped to "All Authenticated in Application's Realm." If this role is mapped to something other than "Everyone,' the person and reader roles must have the same mappings.
search-admin Used by Search to read public and private data in order to create search indexes.
widget-admin Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Files widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias.

Table 6. Forums roles

J2EE Role Description
admin Used by the Forums administrator to manage Forums content.
everyone Can access public pages without signing in to the application. The login page is an example. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
global-moderator Users in this role can moderate content in a forum. That is, they can read, edit, delete, reject, approve, quarantine, and dismiss entries and comments, or content that has been flagged as inappropriate.
metrics-reader Restricts access to the metrics user interface for the Forums application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person Can read and write to Forums.
reader Users in this role have read access to Forums. If this role is mapped to the WAS group "All Authenticated in Application's Realm," then it forces all users to log in before they can use Forums.
search-admin Used by Search to read public and private data in order to create search indexes.
widget-admin Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Forums widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias.

Table 7. Home page roles

J2EE Role Description
admin This role is not mapped to any users by default. This role is used to protect the Home page administrative user interface, which allows administrators to register new widgets, and to enable and disable widgets. Users in this role can see a Server metrics link in the Home page footer. Specific administrator user IDs should be mapped to this role, but you should not map this role to the WAS "Everyone" or "All Authenticated in Application's Realm" groups.
everyone Applies to the Home page login page and the service configuration APIs only. This role allows users to access these resources without any authentication. By default, the role is mapped to the WAS group "Everyone" and should not be modified. It is used internally by the IBM Connections application, and changing the role will break the basic login function of the application.
metrics-reader Restricts access to the metrics user interface for the Home page application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person Used to secure the Home page web user interface. Users must authenticate to access the Home page. Note that the Home page is not designed to work in an unauthenticated fashion, and therefore this role should not be mapped to the WAS group "Everyone." By default, this role is mapped to the "All Authenticated in Application's Realm" group, which means that all authenticated users can access the Home page. If you need to restrict access to a smaller set of people, modify the mapping of this role as needed.
reader Used to access the Search APIs. This role is mapped to the WAS group "Everyone" by default. Modifying this role has no effect on the Home page.

Table 8. Mobile roles

J2EE Role Description
everyone Applies to the Mobile page login page API. This role allows users to access these resources without any authentication. By default, the role is mapped to the WAS group "Everyone" and should not be modified. It is used internally by the IBM Connections application, and changing the role will break the basic login function of the application.
person Used to secure all Mobile pages other than the login page. By default, this role is mapped to the WAS group "All Authenticated in Application's Realm," which means that all authenticated users can access the Mobile pages. If you want to restrict access to a smaller set of people, modify the mapping of this role. Do not map this role to the WAS group "Everyone" because the Mobile pages page are not meant to be available to unauthenticated users.

Table 9. Moderation roles

J2EE Role Description
reader Applies to public Atom APIs. This role allows users to access these resources without authenticating. By default, the role is mapped to the WAS group "Everyone." Modifying this role limits access to the public APIs. For instance, mapping this role to "All Authenticated in Application's Realm" requires users to log in when accessing public Atom APIs.
everyone-authenticated This role is mapped to the WAS group "All Authenticated in Application's Realm" by default and should not be modified.
person Used to secure the Atom APIs for top or saved stories as well as to secure the Email preferences page in the product. Users must authenticate to access the New APIs and preferences page. By default, this role is mapped to the WAS group "All Authenticated in Application's Realm," which means that all authenticated users can access the top and saved stories APIs and the email preferences page. If you want to restrict access to a smaller set of people, modify the mapping of this role. Do not map this role to the WAS group "Everyone" because the email preferences page is not meant to be available to unauthenticated users.
global-moderator Users in this role can see the moderation interface. To actually moderate Blogs, Forums, and community Files content, they must also be in the global-moderator role of the application. For example, to moderate Blogs they must be in the global-moderator role in Moderation and in Blogs. To moderate Blogs, Forums, and Files in communities, they must also be in the Communities global-moderator role. For example, to moderate Files in a community, they must be in the global-moderator role in Communities, Moderation, and Files. After a user is in the appropriate roles, they can read, edit, delete, reject, approve, quarantine, and restore entries and comments, dismiss flags, and flag inappropriate content.

Table 10. News roles

J2EE Role Description
admin Defined in the news repository, but not used. Changing its mapping has no effect on the news repository. This role is not mapped to any users by default.
everyone This role should not be modified. It is used to define pages which should always be available, such as the login page. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
person Used to secure the Atom APIs for Status Updates, News Feed stories, or Saved stories, as well as to secure the E-mail Preferences page in the product. Users must authenticate to access the News APIs and preferences page. By default, this role is mapped to the WAS group "All Authenticated in Application's Realm," which means that all authenticated users can access the Status Updates, News Feed stories, and Saved stories APIs, and the E-mail Preferences page. If you want to restrict access to a smaller set of people, modify the mapping of this role. Do not map this role to the WAS group "Everyone" because the email preferences page is not meant to be available to unauthenticated users.
reader Applies to public Atom APIs. This role allows users to access these resources without authenticating. By default, the role is mapped to the WAS group "Everyone." Modifying this role limits access to the public APIs. For instance, mapping this role to "All Authenticated in Application's Realm" requires users to log in when accessing public Atom APIs.

Table 11. Profiles roles

J2EE Role Description
admin Administrative role. No default mappings are defined for this role.
allAuthenticated Mapped to the WAS group "All Authenticated in Application's Realm" by default. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application. Specifically, this role is used to secure the login-redirect page and is needed to correctly redirect the user back to the page they were attempting to access before the login procedure began. Never change the default value of this role.
dsx-admin Used by the Profiles directory service extension to read both public and private data. This role secures the directory service communication when email addresses are hidden.
everyone Users with this role can access public pages without signing in to the application. The login page is an example. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
metrics-reader Restricts access to the metrics user interface for the Profiles application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person Users with this role have read and write access to the application. Mapped to the WAS group "All Authenticated in Application's Realm" by default.
reader Users with this role have read-only access to the application. Mapped to the WAS group "Everyone" by default.
search-admin Used by Search to read public and private data in order to create search indexes.

Table 12. Search roles

J2EE Role Description
admin Administrative role. No default mappings are defined for this role. The installation wizard maps the person defined as the system administrator to this role.
everyone Not used. There are no default mappings defined for this role. By default, this role is mapped to the WAS group "Everyone." Changing the mapping has no effect.
metrics-reader Restricts access to the metrics user interface of the Search application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person Restricts access to the user interface for the Search application and personal Atom API searches (/atom/mysearch). By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
reader Used to protect the Atom APIs with the exception of /atom/mysearch. This role allows users to access the resources without authenticating. By default, the role is mapped to the WAS group "Everyone." Modifying this role limits access to the public APIs. For instance, if you map this role to the WAS group "AllAuthenticated in Application's Realm," then users must log in before they can access the public Atom APIs.

Table 13. Wikis roles

J2EE Role Description
admin Administrative role. No default mappings are defined for this role.
everyone Users with this role can access public pages without signing in to the application. The login page is an example. This role should not be modified. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
everyone-authenticated This role is mapped to the WAS group "All Authenticated in Application's Realm" by default and should not be modified.
metrics-reader Restricts access to the metrics user interface for the Wikis application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person Users with this role have read and write access to the application. Mapped to the WAS group "All Authenticated in Application's Realm" by default. The reader role should be mapped to "Everyone" when this role is mapped to "All Authenticated in Application's Realm."
reader Users with this role have read-only access to the application. Mapped to the WAS group "Everyone" by default. The person role should be mapped to the WAS group "All Authenticated in Application's Realm" when this role is mapped to "Everyone." If this role is mapped to something other than "Everyone,' the person and reader roles must have the same mappings.
search-admin Used by Search to read public and private data in order to create search indexes.
widget-admin Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Wikis widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias.
wiki-creator Users with this role can create wikis. Only they see the Start a Wiki button in Wikis. Mapped to the WAS group "All Authenticated in Application's Realm" by default. This does not control whether users can create wikis in communities.

Assigning people to roles
To assign a person or group to a role...

From the WAS admin console, expand Applications -> Application Types, and then select WebSphere enterprise applications. Find and click the link to the application that you want to configure.
Click Security role to user/group mapping. Find the role that want to add users to.
Select the check box beside the role that you want to assign, and then click Map users or Map groups.
In the Search String box, type the name of the person or group that you would like to assign to this role, and then click Search. If the user or group exists in the directory, it is found and displayed in the Available list.
Select the user or group name from the Available box, and then move it into the Selected column by clicking the right arrow button.
Repeat Steps 4 and 5 to add more users to the role.
Click OK.
To map a user or group to a different role for another application, repeat steps 1–7.
After making your changes, click OK, and then click Save to save them.
Synchronize and restart all your WAS instances.

Parent topic
Administer applications
Related concepts
Configure media galleries
Moderating blogs programmatically
Moderating community files and comments programmatically
Moderating forum content programmatically
Profiles Administration API

Related tasks

Designating global moderators
View and collect Files metrics
View and collect Wikis metrics
Switching to unique administrator IDs for system level communication
View and collect Activities metrics
Configure J2C Aliases for the moderation proxy service
Specify different system users for widget life-cycle events
Modifying the installation in interactive mode
Related reference
Retrieve the Profiles Administration API service document

+
Search Tips | Advanced Search

J2EE Role	Description
everyone	Can access public pages without signing in to the application. There are not many pages that allow everyone to access them. The login page is an example. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
metrics-reader	Restricts access to the metrics user interface for the Activities application. By default, this role is mapped to the WAS group "Everyone," but this can be changed to a more restricted user set if needed.
person	Can read and write to Activities.
reader	Used exclusively by the Ajax proxy.
search-admin	Used by Search to read public and private data in order to create search indexes.
widget-admin	Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Activities widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias. The user mapped to the widget-admin role must also be mapped to the person role.

J2EE Role	Description
admin	Used by the Blogs administrator to manage the Blogs configuration and content.
everyone	Can access public pages without signing in to the application. Do not change the default mappings for this role as it is used internally by the IBM Connections application. Changing the role will break the basic login function of the application.
global-moderator	Users in this role can moderate content. That is, they can read, edit, delete, reject, approve, quarantine, and dismiss entries and comments, and flag inappropriate content.
metrics-reader	Restricts access to the metrics user interface for the Blogs application. By default, this role is mapped to the WAS group "Everyone", but this can be changed to a more restricted user set if needed.
person	Can read and write to Blogs.
reader	Users in this role have read access to Blogs. If this role is mapped to the WAS group "All Authenticated in Application's Realm," then it forces all users to log in before they can use Blogs.
search-admin	Used by Search to read public and private data in order to create search indexes.
widget-admin	Used by widget containers to send events alerting widget applications of container changes. The widget-admin role is mapped to the user specified in the remoteHandlerAuthenticationAlias attribute defined in the widgets-config.xml file for the Blogs widget. The installer sets the attribute to the connectionsAdmin alias, and maps the widget-admin role to the user specified in that alias.