Administrative agent security
In a flexible management environment, a user ID must have the required authorization to use the administrative agent and to work with registered nodes.
Required security roles
You need the following roles to use the administrative agent:
tasks. Roles include administrator and roles required
Administrative tasks Required security roles Register or unregister a base (stand-alone) node with the administrative agent administrator Work with the administrative agent: Administrative roles required for the operation being performed Work with the administrative subsystem, such as registered nodes Administrative roles required for the registered base node
Same security domain configuration
The administrative agent supports a security configuration where all the cells in the topology share the same user registry, and therefore, the same security domain.
For the administrative agent topology, when a user logs in to the JMX connector port of an administrative subsystem, or chooses the registered node from the console, the authorization table for the chosen node is used.
For example, suppose two stand-alone application servers, Node1 and Node2, are registered with an administrative agent. User1 is authorized as administrator for Node1, but is not authorized for Node2. User2 is authorized as configurator for Node2, but is not authorized for Node1. User1 can administer, operate and configure Node1 and its resources. User2 can monitor and configure Node2 and its resources. Only User1 can register or unregister a node, Node1, with the administrative agent.
Do not use DMZ proxy
A DMZ proxy does not work with the administrative agent when security is enabled. Keep security enabled and do not use the administrative agent in a DMZ proxy environment.
Related concepts
Job manager security Administrative agent
Related tasks
Administrative roles Administer nodes remotely using the job manager Administer jobs in a flexible management environment Administer nodes and resources Task overview: Securing resources