Edit a fine-grained admin authorization group using the admin console
We can add or remove admin resources to an administrative authorization group or edit an existing one. You must be logged into the admin console with the cell-level AdminSecurityManager authority or as the primary administrative user.
- Navigate to Security > Administrative Authorization Groups.
The Administrative Authorization Groups page displays a table that lists all of the current admin authorization groups available in the cell.
- Click on the admin authorization group in the table to edit.
- To add or remove resources from the admin authorization group, select or clear them in the Resource section of the edit page.
Resources displayed in black text are available for selection or clearing. Resources displayed in grey text are members of a different administrative authorization group and therefore cannot be edited for the current admin authorization group.
The available filtering options are the following. Each option includes all the resources that are associated with that specific filtering option.
- All scopes. (The default view that displays the authorization group tree.)
- Clusters. (All of the resources associated with the clusters.)
- Web servers. (All of the resources associated with the Web servers.)
- Business-level applications. (All of the resources associated with the business-level applications.)
- Servers. (All of the resources associated with the servers.)
- Nodes. (All of the resources associated with the nodes.)
- Applications. (All of the resources associated with the applications.)
- Assets. (All of the resources associated with the assets.)
- Node groups. (All of the resources associated with the node groups.)
- Assigned scopes. (Displays all of the scopes explicitly assigned to the current authorization group).
Nodes prior to WAS Version 6.1 in a mixed cell environment are filtered out of resource mapping.
- To remove a user or a group, do the following:
- To delete users, click Administrative user roles under the Additional Properties section. To delete groups, click Administrative group roles under the Additional Properties section.
The appropriate edit page displays a table that lists all of the current users or groups and their associated roles, along with the user's login status.
- Click the check box beside the name of the current user or group and then click Remove. The current user or group is no longer associated with the role and the role is no longer listed in the table. It is now ready to have a new user or group assigned to it.
- To add or to reassign a user or group role to this admin authorization group, do the following:
- To add a user, click Administrative user roles under the Additional Properties section. To add a group, click Administrative group roles located under the Additional Properties section.
The appropriate edit page displays a table that lists all of the current users or groups and their associated roles. The available roles are:
- An individual or group that uses the administrator role has the operator and configurator privileges plus additional privileges that are granted solely to the administrator role. For example, an administrator can complete the following tasks:
- Modify the server user ID and password.
- Set authentication and authorization mechanisms.
- Enable or disable admin security.
- Enable or disable Java2 security.
- Change the LTPA password and generate keys.
- Create, update, or delete users in the federated repositories configuration.
- Create, update, or delete groups in the federated repositories configuration.
An administrator cannot map users and groups to the administrator roles.
- An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WAS configuration. The configurator can perform all the day-to-day configuration tasks. For example, a configurator can complete the following tasks:
- Create a resource.
- Map an appserver.
- Install and uninstall an application.
- Deploy an application.
- Assign users and groups-to-role mapping for applications.
- Set up Java 2 security permissions for applications.
- Customize the CSIv2, SAS, and SSL configurations.
SAS is supported only between V6.0.x and previous version servers that have been federated in a V6.1 cell.
- Users granted this role can perform both configuration actions and runtime operations on applications.
- An individual or group that uses the operator role has monitor privileges plus ability to change the runtime state. For example, an operator can complete the following tasks:
- Stop and start the server.
- Monitor the server status in the admin console.
- An individual or group that uses the monitor role has the least amount of privileges. A monitor can complete the following tasks:
- View the WAS configuration.
- View the current state of the appserver.
- Admin Security Manager
- Use the Admin Security Manager role, we can assign users and groups to the admin user roles and admin group roles. However, an administrator cannot assign users and groups to the administrative user roles and admin group roles including the Admin Security Manager role.
- Click Add....
- To add a new user or group, follow the instructions on the page to specify either a user name, group name, or Special subject. Highlight the desired role(s), and click OK. The specified users, groups, or Special subject are mapped to the security roles.
Administrative roles and naming service authorization
Create a fine-grained admin authorization group