Default MBean security policy

This article discusses the default MBean security policy. In most cases, MBean developers do not need to specify a security policy.

Two types of MBeans exist for the default MBean security policy. One is a configuration type and the other is a run-time type. An optional attribute in the MBean descriptor XML file defines the type of MBean.

The ConfigRepository MBean is an example of one of a few configuration types. In the configRepository.xml descriptor file, the configureMBean = "true" attribute indicates that the MBean is a configuration type

<MBean type="ConfigRepository" 
  version="5.0"
  platform="common"
  description="Management interface for the configuration repository."
  configureMBean="true">

WebSphere Application Server extended role-based access control supports role inheritance. Four administrative roles of administrator, configurator, operator, and monitor exist. The monitor role is the least privileged administrative role. Users that are granted the monitor role are allowed to view the WAS configuration and the run-time status, but cannot make any changes. The other three administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.

The configurator role has permission to modify WAS configuration data. The operator role has permission to change run-time state, such as the start and stop of administrative resources. A configurator role cannot change the run-time status and conversely an operator role cannot change the WAS configuration. The administrator role includes configurator and operators roles but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the global security configuration.

Each MBean method or operation is assigned an impact attribute with a value of either INFO or ACTION. Here are some examples:

  • A get method has an impact value of INFO and a write method has an impact value of ACTION.

  • In the ConfigRepository MBean, the extract method does not change the configuration data and has an impact value of INFO, while the modify method has an impact value of ACTION.

  • In the NodeAgent MBean, which is an operator type of MBean, the terminate method has an impact value of ACTION.

A configuration MBean that has an impact value of INFO requires the monitor role. A configuration MBean method that has an impact value of ACTION requires the configurator role. Because all administrative roles are monitor roles, any administrative role can access configuration MBean methods that have an impact value of INFO. The administrator role is a configurator role and has access to the configuration MBean methods that have an impact value of ACTION.

The default security policy for configuration MBean is summarized in the following table:

Method impact Monitor role Operator role Configurator role Administrator role
INFO X X X X
ACTION     X X

The default security policy for operation MBean is summarized in the following table:

Method impact Monitor role Operator role Configurator role Administrator role
INFO X X X X
ACTION   X   X


 

See Also


Administrative Security

 

Related Tasks


Define an explicit MBean security policy