Administrative group roles and CORBA naming service groups
Use the Administrative Group Roles page to give groups specific authority to administer appservers through tools such as the admin console or wsadmin scripting. The authority requirements are only effective when administrative security is enabled. Use the Common Object Request Broker Architecture (CORBA) naming service groups page to manage CORBA Naming Service groups settings.
To view the Console Groups admin console page, complete either of the following steps:
- Click Security > Global security > Administrative Group Roles.
- Click Users and Groups > Administrative Group Roles.
To view the CORBA naming service groups admin console page, click Environment > Naming > CORBA Naming Service Groups.
- Group (CORBA naming service groups)
Identifies CORBA naming service groups.
In previous releases of WAS, there were two default groups: ALL AUTHENTICATED and EVERYONE. However, EVERYONE is now the only default group, and it provides CosNamingRead privileges only.
Data type: String Range: EVERYONE
- Role (CORBA naming service groups)
Identifies naming service group roles.
A number of naming roles are defined to provide the degrees of authority that are needed to perform certain appserver naming service functions. The authorization policy is only enforced when global security is enabled.
Four name space security roles are available: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete. The roles have authority levels from low to high:
- Cos Naming Read
- We can query the appserver name space using, for example, the Java™ Naming and Directory Interface (JNDI) lookup method. The EVERYONE special-subject is the default policy for this role.
- Cos Naming Write
- We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.
- Cos Naming Create
- We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.
- Cos Naming Delete
- We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.
Data type: String Range: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete
- Group (Administrative group roles)
The ALL_AUTHENTICATED and the EVERYONE groups can have the following role privileges: Administrator, Configurator, Operator, and Monitor.
Data type: String Range: ALL_AUTHENTICATED, EVERYONE
- Role (Administrative group roles)
Specifies user roles.
The following admin roles provide different degrees of authority needed to perform certain appserver admin functions:
- The administrator role has operator permissions, configurator permissions, and the permission that is required to access sensitive data, including server password, LTPA password and keys, and so on.
- The operator role has monitor permissions and can change the run-time state. For example, the operator can start or stop services.
- The configurator role has monitor permissions and can change the application server configuration.
- The deployer role can perform both configuration actions and runtime operations on applications.
- The monitor role has the least permissions. This role primarily confines the user to viewing the appserver configuration and current state.
- The iscadmins role has administrator privileges for managing users and groups from within the admin console only.
To manage users and groups, click Users and Groups Click either Manage Users or Manage Groups.
- The auditor can view and modify the settings for the security auditing subsystem. The auditor role includes the monitor role.
Data type: String Range: Administrator, Operator, Configurator, Monitor, Deployer and iscadmins
Other arbitrary admin roles might also be visible in the admin console collection table. Other contributors to the console might create these additional roles, which can be used for applications that are deployed to the console.
Authorizing access to admin roles
Administrative console buttons
Administrative console page features
Administrative console scope settings
Administrative console preference settings