Map users and resources using authorization group properties files
We can use authorization group properties files to map users to administrative roles and resources to authorization groups.
Determine the property values to set for an authorization group configuration.
From the server profile bin directory, run wsadmin -lang jython
Using a properties file create or modify an authorization group object and map users to administrative roles or resources to groups.
Modify the following sample properties files for your environment and apply:
- Create an authorization group.
- Map users to administrative roles.
- Map resources to administrative groups.
- Create an authorization group.
- Create a properties file that uses the createAuthorizationGroup command and names the group.
The following example creates an authorization group named ag1:
# # Header # CreateDeleteCommandProperties=true commandName=createAuthorizationGroup # # # Properties # authorizationGroupName=ag1 #String, required
- Run the applyConfigProperties command.
Running the applyConfigProperties command applies the properties file. In this Jython example, the optional -reportFileName parameter produces a report named report.txt:
AdminTask.applyConfigProperties(['-propertiesFileName myObjectType.props -reportFileName report.txt'])
- Map users to administrative roles.
- Modify an AuthorizationGroup properties file so that it lists users for administrative roles.
To add a new user to a role, add the user to the role list. For example, to add user5 to the administrators role list, change administrators={} to administrators={user:user5,group:group1}.
To remove a user from a role, remove the user from the role list; for example, adminsecuritymanagers={user:user4}. To remove all users for a role, make the list empty.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=CellAuthorizationGroup # # # Properties # deployers={} name=CellAuthorizationGroup resources={} configurators={} monitors={} operators={} adminsecuritymanagers={user:user4} auditors={special:SERVERID,special:PRIMARYADMINID} administrators={user:user5,group:group1}
- Run the applyConfigProperties command.
- Map resources to administrative groups.
- Modify an AuthorizationGroup properties file so that it lists resources.
To add a new resource to an authorization group, add the resource to the resources list. To remove a resource from an authorization group, remove the resource from the list.
The following example maps users to administrative roles of an authorization group and maps resources to an authorization group. An authorization group is used to enable fine-grained administrative security.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=AuthorizationGroup=ag1 # # # Properties # deployers={} name=ag1 resources={Cell=!{cellName}:Node=!{nodeName}:Server=!{serverName},Cell=!{cellName}:Deployment=myApp} configurators={} monitors={} operators={} adminsecuritymanagers={} auditors={} administrators={user:user5,group:group1} # EnvironmentVariablesSection # # Environment Variables cellName=myCell nodeName=myNode serverName=myServer
- Run the applyConfigProperties command.
Results
We can use the properties file to configure and manage authorization groups.
What to do next
Save the changes to the configuration.
Related tasks
Create server, cluster, application, or authorization group objects using properties files and wsadmin scripting Delete server, cluster, application, or authorization group objects using properties files Create, modify, and delete configuration objects using one properties file
PropertiesBasedConfiguration (AdminTask)