Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager
Provide security
Virtual member manager provides role based security for both changing the configuration and using the runtime APIs.
Configuration security
The virtual member manager configuration can be changed from the WebSphere Administrative Console, the wsadmin commands, and scripting. Only a user assigned the WAS Administrator role can change the configuration from the console or by using the commands. The wsadmin commands can also be used in local mode during WebSphere Application Server installation.
Runtime security
During runtime operations, by default, virtual member manager supports only two roles:
WAS Administrator
A user who authenticates as the WAS Administrator, may perform any virtual member manager function against any virtual member manager object.
Account Owner role
The Account Owner role is virtual member manager specific and not a J2EE role. If the authenticated user is the owner of the registry object, the user is programmatically assigned the Account Owner role. The authenticated user can change its own password and search on itself only. The user is not authorized to make any other modifications, nor can the user search, view, create, or delete any objects in the repositories. Account-Owner-Role SEARCH Entity/RolePlayer/Party/LoginAccount/* UPDATE Entity/RolePlayer/Party/LoginAccount/* WRITE Entity/RolePlayer/Party/LoginAccount/* sensitive READ Entity/RolePlayer/Party/LoginAccount/* unchecked WRITE Entity/RolePlayer/Party/LoginAccount/* unchecked All Authenticated Users Account-Owner-Role {Condition: OWNERSHIP == true}The virtual member manager runtime API that WAS needs for authentication, does not have any access control applied. The effect is twofold:
- Prevents circular dependencies between WAS security and virtual member manager during authentication to WebSphere Application Server
- Provides quick authentications
Map users and groups to roles for assigning federated repository management rights
To enable users who are not assigned the WAS Administrator role to access virtual member manager methods, you can assign the user or group one of the following predefined virtual member manager roles.
The predefined virtual member manager roles and their corresponding permissions are listed in the following table:
Predefined virtual member manager roles and permissions
Role name Method permission IdMgrAdmin (same authority as WAS Administrator) create
update
delete
search
get
createSchema
getSchemaIdMgrWriter create
update
delete
search
getIdMgrReader search
getWe can map a user or a group to only one role. We can also map all logged-in users to a specific role, using a special subject with the value ALLAUTHENTICATED instead of the group ID. In case multiple roles are granted to a user through group membership, there is no specific order of precedence in which the roles are applied. However, as each role is a subset or superset of the other, there are no conflicting roles. For example, IdMgrWriter has IdMgrReader and IdMgrWriter permissions, and IdMgrAdmin has IdMgrReader, IdMgrWriter, and IdMgrAdmin permissions.
The following limitations apply:
- The permissions assigned to each role are hardcoded; you cannot modify or customize them.
- The group level access check of an attribute is not enforced.
- According to the role assigned to them, users are granted all the relevant permissions on all attributes and attribute groups.
For information on how to assign users or groups to the predefined virtual member manager roles, read about the mapIdMgrUserToRole, mapIdMgrGroupToRole, removeIdMgrUsersFromRole, removeIdMgrGroupsFromRole, listIdMgrUsersForRoles, and listIdMgrGroupsForRoles commands in the topic, IdMgrConfig command group in the WAS information center.
- Virtual member manager security
Virtual member manager security is enabled by default, however, WAS global security must also be enabled.- Access virtual member manager through the user registry
When configured to be used for WAS security, virtual member manager provides a built-in user registry that implements the UserRegistry Java interface provided by WAS.