RunAs roles



Enterprise beans contain predefined RunAs roles which must also be defined in WAS. To map RunAs roles to users...

Console | Applications | Enterprise Applications | appname | Map RunAs roles to users

The username must be a user that is already mapped to the role in the Mapping users and groups to roles panel, either directly or through a group.

For example, if role1 is a role that is also used as a RunAs role, then the user, user1, can be added to the RunAs role. role1, if user1 or a group that user1 belongs to, already is assigned to role1. The administrative console checks this logic when Apply or OK is clicked. If the check fails, the change is not made and an error message displays at the top of the panel.

If the special subjects "Everyone" or "All Authenticated" are assigned to a role, then no check takes place for that role.

If the RunAs role user belongs to a group and if that group is assigned to that role, make sure that the assignment of this group to the role is done through administrative console and not through the Assembly Toolkit or any other method. When using the administrative console, the full name of the group is used (for example, distinguished names (DN) in LDAP. During the check, all the groups to which the RunAs role user belongs are obtained from the registry. Since the list of groups obtained from the registry are the full names of the groups, the check works correctly. If the short name of a group is entered using the Assembly Toolkit (for example, group1 instead of CN=group1, then this check fails.

If the application contains RunAs roles, you see the Map RunAs roles to users link during application installation and also during managing applications as a link in the Additional Properties section at the bottom.

  1. Click Map RunAs roles to users. A list of all the RunAs roles that belong to this application displays. If the roles already had users assigned, they display here.

  2. To assign a user, select the role. You can select multiple roles at the same time if the same user is assigned to all the roles.

  3. Enter the user's name and password in the designated fields. The user name entered can be either the short name (preferred) or the full name (as seen when getting users and groups from the registry).

  4. Click Apply.The user is authenticated using the active user registry. If authentication is successful, a check is made to verify that this user or group is mapped to the role in the Map security roles to users and groups panel. If authentication fails, verify that the user and password are correct and that the active registry configuration is correct.

  5. To remove a user from a RunAs role, select the roles and click Remove.

The RunAs role user is added to the binding file in the application. This file is used for delegation purposes when accessing J2EE resources.


See Also

Client certificate authentication and RunAs system
Assigning users and groups to roles
Security role to user and group selections
EJB 1.0 method protection level settings
RunAs roles to users mapping