+

Search Tips   |   Advanced Search

Default MBean security policy

This topic discusses the default managed bean (MBean) security policy. In most cases, MBean developers do not need to specify a security policy.

Three types of MBeans exist for the default MBean security policy:

An optional attribute in the MBean descriptor XML file defines the type of MBean.

The ConfigRepository MBean is an example of one of a few configuration types. In the configRepository.xml descriptor file, the configureMBean = "true" attribute indicates that the MBean is a configuration type.

<MBean type="ConfigRepository"    version="5.0"
  platform="common"
  description="Management interface for the configuration repository."
  configureMBean="true">

The EJBModule MBean is an example of deployer type MBeans. In the EJBModule.xml descriptor file, the deployerMBean="true" attribute indicates that the MBean is a deployer type.

<MBean type="EJBModule" j2eeType="EJBModule"
  version="5.0"
  platform="dynamicproxy"
  resourceIdentifierKey="Application"
  resourceType="Application"
  deployerMBean="true"
  description="Management interface for the EJBModule component.">

WebSphere Application Server extended role-based access control supports role inheritance. Five administrative roles of administrator, configurator, operator, deployer, and monitor exist. The monitor role is the least privileged administrative role. Users that are granted the monitor role can view the WAS configuration and the runtime status, but cannot make any changes. The other administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.

The configurator role has permission to modify WebSphere Application Server configuration data. The operator role has permission to change the runtime state, such as the start and stop of administrative resources. A configurator role cannot change the runtime status and conversely an operator role cannot change the WAS configuration. The administrator role includes configurator and operator role, but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the administrative security configuration. A simple picture shows the administrative role inheritance relationship. The deployer role is a combination of the configurator and operator roles for application management. The deployer role has both configurator and operator permission for applications. A diagram shows the administrative role inheritance relationship.

Each MBean method or operation is assigned an impact attribute with a value of either INFO or ACTION. Here are some examples:

A configuration MBean method that has an impact value of INFO requires the monitor role. A configuration MBean method that has an impact value of ACTION requires the configurator role. A deployer MBean method that has an impact value of INFO requires the monitor role. A deployer MBean method that has an impact value of ACTION requires the deployer role. Because all administrative roles are monitor roles, any administrative role can access configuration MBean methods and deployer MBean methods that have an impact value of INFO. The administrator role is a configurator role and has access to the configuration MBean methods that have an impact value of ACTION.

The default security policy for the configuration MBean is summarized in the following table:

roles. An X indicates that the MBean method requires
Method impact Monitor role Operator role Configurator role Deployer role Administrator role
INFO X X X X X
ACTION

X
X

The default security policy for the operation MBean is summarized in the following table:

roles. An X indicates that the MBean method requires
Method impact Monitor role Operator role Configurator role Deployer role Administrator role
INFO X X X X X
ACTION
X

X

The default security policy for the deployer MBean is summarized in the following table:

roles. An X indicates that the MBean method requires
Method impact Monitor role Operator role Configurator role Deployer role Administrator role
INFO X X X X X
ACTION
X
X X

If an MBean has both the configureMBean attribute and the deployerMBean attribute set to true, the required role for all actions is either configurator or monitor. No such MBean is presently defined in the system.


Related concepts

  • Administrative security


    Related tasks

  • Define an explicit MBean security policy