Network Deployment (Distributed operating systems), v8.0 > Administer applications and their environment > Use the administrative clients > Use administrative programs (JMX) > Extend the WAS administrative system with custom MBeans
Default MBean security policy
This topic discusses the default managed bean (MBean) security policy. In most cases, MBean developers do not need to specify a security policy.
Three types of MBeans exist for the default MBean security policy:
- A configuration type MBean
- A runtime type MBean
- A deployer type MBean
An optional attribute in the MBean descriptor XML file defines the type of MBean.
The ConfigRepository MBean is an example of one of a few configuration types. In the configRepository.xml descriptor file, the configureMBean = "true" attribute indicates that the MBean is a configuration type.
<MBean type="ConfigRepository" version="5.0" platform="common" description="Management interface for the configuration repository." configureMBean="true">The EJBModule MBean is an example of deployer type MBeans. In the EJBModule.xml descriptor file, the deployerMBean="true" attribute indicates that the MBean is a deployer type.
<MBean type="EJBModule" j2eeType="EJBModule" version="5.0" platform="dynamicproxy" resourceIdentifierKey="Application" resourceType="Application" deployerMBean="true" description="Management interface for the EJBModule component.">WAS extended role-based access control supports role inheritance. Five administrative roles of administrator, configurator, operator, deployer, and monitor exist. The monitor role is the least privileged administrative role. Users that are granted the monitor role can view the WAS configuration and the runtime status, but cannot make any changes. The other administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.
The configurator role has permission to modify WAS configuration data. The operator role has permission to change the runtime state, such as the start and stop of administrative resources. A configurator role cannot change the runtime status and conversely an operator role cannot change the WAS configuration. The administrator role includes configurator and operator role, but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the administrative security configuration. A simple picture shows the administrative role inheritance relationship. The deployer role is a combination of the configurator and operator roles for application management. The deployer role has both configurator and operator permission for applications. A diagram shows the administrative role inheritance relationship.
Each MBean method or operation is assigned an impact attribute with a value of either INFO or ACTION. Here are some examples:
- A get method has an impact value of INFO and a write method has an impact value of ACTION.
- In the ConfigRepository MBean, the extract method does not change the configuration data and has an impact value of INFO, while the modify method has an impact value of ACTION.
- In the JVM MBean, which is an operator type of MBean, the ggetCurrentTimeInMillis method has an impact value of ACTION.
A configuration MBean method that has an impact value of INFO requires the monitor role. A configuration MBean method that has an impact value of ACTION requires the configurator role. A deployer MBean method that has an impact value of INFO requires the monitor role. A deployer MBean method that has an impact value of ACTION requires the deployer role. Because all administrative roles are monitor roles, any administrative role can access configuration MBean methods and deployer MBean methods that have an impact value of INFO. The administrator role is a configurator role and has access to the configuration MBean methods that have an impact value of ACTION.
The default security policy for the configuration MBean is summarized in the following table:
Configuration MBean method impact values and security roles. An X indicates that the MBean method requires the role by default.
Method impact Monitor role Operator role Configurator role Deployer role Administrator role INFO X X X X X ACTION X X The default security policy for the operation MBean is summarized in the following table:
Operation MBean method impact values and security roles. An X indicates that the MBean method requires the role by default.
Method impact Monitor role Operator role Configurator role Deployer role Administrator role INFO X X X X X ACTION X X The default security policy for the deployer MBean is summarized in the following table:
Deployer MBean method impact values and security roles. An X indicates that the MBean method requires the role by default.
Method impact Monitor role Operator role Configurator role Deployer role Administrator role INFO X X X X X ACTION X X X If an MBean has both the configureMBean attribute and the deployerMBean attribute set to true, the required role for all actions is either configurator or monitor. No such MBean is presently defined in the system.
Administrative security
Define an explicit MBean security policy