Network Deployment (Distributed operating systems), v8.0 > Scripting the application serving environment (wsadmin) > Use properties files to manage system configuration > Manage specific configuration objects using properties files > Work with security properties files
Map users and resources using authorization group properties files
We can use authorization group properties files to map users to administrative roles and resources to authorization groups.
Determine the property values to set for an authorization group configuration.
Start the wsadmin scripting tool.
To start wsadmin using the Jython language, run...
WP_PROFILE/bin/wsadmin -lang jython
Use a properties file, you can create or modify an authorization group object and map users to administrative roles or resources to groups.
This topic provides sample properties files that you can modify for the environment and apply:
- Create an authorization group.
- Map users to administrative roles.
- Map resources to administrative groups.
Procedure
- Create an authorization group.
- Create a properties file that uses the createAuthorizationGroup command and names the group.
The following example creates an authorization group named ag1:
# # Header # CreateDeleteCommandProperties=true commandName=createAuthorizationGroup # # # Properties # authorizationGroupName=ag1 #String,required- Run applyConfigProperties.
Run applyConfigProperties applies the properties file. In this Jython example, the optional -reportFileName parameter produces a report named report.txt:
AdminTask.applyConfigProperties(['-propertiesFileName myObjectType.props -reportFileName report.txt'])
- Map users to administrative roles.
- Modify an AuthorizationGroup properties file so that it lists users for administrative roles.
To add a new user to a role, add the user to the role list. For example, to add user5 to the administrators role list, change administrators={} to administrators={user:user5,group:group1}.
To remove a user from a role, remove the user from the role list; for example, adminsecuritymanagers={user:user4}.
To remove all users for a role, make the list empty.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=CellAuthorizationGroup # # # Properties # deployers={} name=CellAuthorizationGroup resources={} configurators={} monitors={} operators={} adminsecuritymanagers={user:user4} auditors={special:SERVERID,special:PRIMARYADMINID} administrators={user:user5,group:group1}- Run applyConfigProperties.
- Map resources to administrative groups.
- Modify an AuthorizationGroup properties file so that it lists resources.
To add a new resource to an authorization group, add the resource to the resources list.
To remove a resource from an authorization group, remove the resource from the list.
The following example maps users to administrative roles of an authorization group and maps resources to an authorization group. An authorization group is used to enable fine-grained administrative security.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=AuthorizationGroup=ag1 # # # Properties # deployers={} name=ag1 resources={Cell=!{cellName}:Node=!{nodeName}:Server=!{serverName},Cell=!{cellName}:Deployment=myApp} configurators={} monitors={} operators={} adminsecuritymanagers={} auditors={} administrators={user:user5,group:group1} # EnvironmentVariablesSection # # Environment Variables cellName=myCell nodeName=myNode serverName=myServer- Run applyConfigProperties.
Results
We can use the properties file to configure and manage authorization groups.
What to do next
Save the changes to the configuration.
Create server, cluster, application, or authorization group objects using properties files and wsadmin scripting
Delete server, cluster, application, or authorization group objects using properties files
Create, modifying, and deleting configuration objects using one properties file
Related
PropertiesBasedConfiguration command group using wsadmin.sh