NamingAuthzCommands (AdminTask)
We can use the Jython scripting language to configure naming roles for groups and users with wsadmin.sh. Use commands in the NamingAuthzCommands group to assign, remove, and query naming role configuration. CosNaming security offers increased granularity of security control over CosNaming functions.
A number of naming roles are defined to provide the degrees of authority that are needed to perform certain application server naming service functions. The authorization policy is only enforced when global security is enabled.
Use the following commands to manage the naming service functions:
- listGroupsForNamingRoles
- listUsersForNamingRoles
- mapGroupsToNamingRole
- mapUsersToNamingRole
- removeGroupsFromNamingRole
- removeUsersFromNamingRole
listGroupsForNamingRoles
The listGroupsForNamingRoles command displays the groups and special subjects mapped to the naming roles.
Target object: None.
Return value
The command returns a list of the groups and special subjects associated with each naming role.
Batch mode example
- Jython:
AdminTask.listGroupsForNamingRoles()
Interactive mode
- Jython:
AdminTask.listGroupsForNamingRoles('-interactive')
listUsersForNamingRoles
The listUsersForNamingRoles command displays the users mapped to the naming roles.
Target object: None.
Return value
The command returns a list of the users associated with each naming role.
Batch mode example
- Jython:
AdminTask.listUsersForNamingRoles()
Interactive mode
- Jython:
AdminTask.listUsersForNamingRoles('-interactive')
mapGroupsToNamingRole
The mapGroupsToNamingRole command maps groups, special subjects, or groups and special subjects to the naming roles.
Target object: None.
Required parameters
- -roleName
- Name of the naming role. (String)
space security roles are available: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete. The roles have authority levels from
Role name Description CosNamingRead We can query the application server name space using, for example, the JNDI lookup method. The EVERYONE special-subject is the default policy for this role. CosNamingWrite We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. CosNamingCreate We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. CosNamingDelete We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations.
Optional parameters
- -groupids
- Names of the groups to map to the naming roles. (String[])
- -accessids
- Access IDs of the users in the format <group:realmName/uniqueID>. (String[])
- -specialSubjects
- Special subjects to map. (String[])
include EVERYONE, ALLAUTHENTICATED, ALLAUTHENTICATEDINTRUSTEDREALMS,
Header Header EVERYONE Maps everyone to a specified role. When you map everyone to a role, anyone can access the resources that are protected by this role and, essentially, there is no security. ALLAUTHENTICATED Maps each authenticated user to a specified role. When you map each authenticated user to a specified role, each valid user in the current registry who has been authenticated can access resources that are protected by this role. ALLAUTHENTICATEDINTRUSTEDREALMS Maps each authenticated user to a specified role. When you map each authenticated user to a specified role, each valid user in the current registry who has been authenticated can access resources that are protected by this role in the trusted realm.
Return value
The command does not return output.
Batch mode example
- Jython string...
AdminTask.mapGroupsToNamingRole('[-roleName CosNamingCreate -groupids [group1, group2]]')
- Jython list:
AdminTask.mapGroupsToNamingRole(['-roleName', 'CosNamingCreate', '-groupids', '[group1, group2]'])
Interactive mode
- Jython:
AdminTask.mapGroupsToNamingRole('-interactive')
mapUsersToNamingRole
The mapUsersToNamingRole command maps users to the naming roles.
Target object: None.
Required parameters
- -roleName
- Name of the naming role. (String)
space security roles are available: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete. The roles have authority levels from
Role name Description CosNamingRead We can query the application server name space using, for example, the JNDI lookup method. The EVERYONE special-subject is the default policy for this role. CosNamingWrite We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. CosNamingCreate We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. CosNamingDelete We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations.
Optional parameters
- -userids
- User IDs to map to the naming roles of interest. (String[])
- -accessids
- Access IDs of the users in the format <user:realmName/uniqueID>. (String[])
Return value
The command does not return output.
Batch mode example
- Jython string...
AdminTask.mapUsersToNamingRole([-roleName CosNamingDelete -userids [user1, user2, user3]]')
- Jython list:
AdminTask.mapUsersToNamingRole(['-roleName', 'CosNamingDelete', '-userids', '[user1, user2, user3]'])
Interactive mode
- Jython:
AdminTask.mapUsersToNamingRole('-interactive']
removeGroupsFromNamingRole
The removeGroupsFromNamingRole command removes groups, special subjects, or groups and special subjects from a naming role.
Target object: None.
Required parameters
- -roleName
- Name of the naming role. (String)
space security roles are available: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete. The roles have authority levels from
Role name Description CosNamingRead We can query the application server name space using, for example, the JNDI lookup method. The EVERYONE special-subject is the default policy for this role. CosNamingWrite We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. CosNamingCreate We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. CosNamingDelete We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations.
Optional parameters
- -groupids
- Names of the groups to remove from the naming roles of interest. (String[])
- -specialSubjects
- Special subjects to remove. (String[])
subjects include EVERYONE, ALLAUTHENTICATED, ALLAUTHENTICATEDINTRUSTEDREALMS,
Header Header EVERYONE Maps everyone to a specified role. When you map everyone to a role, anyone can access the resources that are protected by this role and, essentially, there is no security. ALLAUTHENTICATED Maps each authenticated user to a specified role. When you map each authenticated user to a specified role, each valid user in the current registry who has been authenticated can access resources that are protected by this role. ALLAUTHENTICATEDINTRUSTEDREALMS Maps each authenticated user to a specified role. When you map each authenticated user to a specified role, each valid user in the current registry who has been authenticated can access resources that are protected by this role in the trusted realm.
Return value
The command does not return output.
Batch mode example
- Jython string...
AdminTask.removeGroupsFromNamingRole('-roleName CosNamingRead -groupids [group1, group2] -specialSubjects EVERYONE')
- Jython list:
AdminTask.removeGroupsFromNamingRole(['-roleName', 'CosNamingRead', '-groupids', '[group1, group2]', '-specialSubjects', 'EVERYONE'])
Interactive mode
- Jython:
AdminTask.removeGroupsFromNamingRole('-interactive')
removeUsersFromNamingRole
The removeUsersFromNamingRole command removes users from a naming role.
Target object: None.
Required parameters
- -roleName
- Name of the naming role. (String)
and CosNamingDelete. The roles have authority levels from
Role name Description CosNamingRead We can query the application server name space using, for example, the JNDI lookup method. The EVERYONE special-subject is the default policy for this role. CosNamingWrite We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. CosNamingCreate We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. CosNamingDelete We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations.
Optional parameters
- -userids
- User IDs to remove from the naming roles of interest. (String[])
Return value
The command does not return output.
Batch mode example
- Jython string...
AdminTask.removeUsersFromNamingRole('-roleName CosNamingRead')
- Jython list:
AdminTask.removeUsersFromNamingRole(['-roleName', 'CosNamingRead'])
Interactive mode
- Jython:
AdminTask.removeUsersFromNamingRole('-interactive')
Related tasks
Configure multiple security domains
Naming roles SecurityDomainCommands (AdminTask) SecurityConfigurationCommands (AdminTask)