+

Search Tips   |   Advanced Search

Administrative group roles and CORBA naming service groups

Use the Administrative Group Roles page to give groups specific authority to administer application servers through tools such as the console or wsadmin scripting. The authority requirements are only effective when administrative security is enabled. Use the Common Object Request Broker (CORBA) naming service groups page to manage CORBA Naming Service groups settings.

To view the Console Groups console page, complete either of the following steps:

To view the CORBA naming service groups console page, click Environment > Naming > CORBA Naming Service Groups.

Click Refresh All to automatically update the node agent and all of the nodes when a new user is created with the Administrator or Admin Security Manager role. When you click Refresh All, we do not need to manually restart the node agent under an existing Administrator before the new user is recognized with one of these roles. This button automatically invokes the AuthorizationManager refreshAll MBean method. To invoke this method manually, read about Fine-grained administrative security in heterogeneous and single-server environments.


Group (CORBA naming service groups)

Identifies CORBA naming service groups.

In previous releases of WAS, there were two default groups: ALL AUTHENTICATED and EVERYONE. However, EVERYONE is now the only default group, and it provides CosNamingRead privileges only.

Information Value
Data type: String
Range: EVERYONE


Role (CORBA naming service groups)

Identifies naming service group roles.

A number of naming roles are defined to provide the degrees of authority that are needed to perform certain application server naming service functions. The authorization policy is only enforced when global security is enabled.

Four name space security roles are available: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete. The roles have authority levels from low to high:

Cos Naming Read

We can query the application server name space using, for example, the JNDI lookup method. The EVERYONE special-subject is the default policy for this role.

Cos Naming Write

We can perform write operations such as JNDI bind, rebind, or unbind, and CosNamingRead operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.

Cos Naming Create

We can create new objects in the name space through operations such as JNDI createSubcontext and CosNamingWrite operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.

Cos Naming Delete

We can destroy objects in the name space, for example using the JNDI destroySubcontext method and CosNamingCreate operations. The ALL_AUTHENTICATED special-subject is the default policy for this role.

Information Value
Data type: String
Range: CosNamingRead, CosNamingWrite, CosNamingCreate, and CosNamingDelete


Group (Administrative group roles)

Specifies groups.

The ALL_AUTHENTICATED and the EVERYONE groups can have the following role privileges: Administrator, Configurator, Operator, and Monitor.

Information Value
Data type: String
Range: ALL_AUTHENTICATED, EVERYONE


Role (Administrative group roles)

Specifies user roles.

The following administrative roles provide different degrees of authority needed to perform certain application server administrative functions:

Administrator

The administrator role has operator permissions, configurator permissions, and the permission required to access sensitive data, including server password, LTPA> (LTPA) password and keys, and so on.

Operator

The operator role has monitor permissions and can change the run-time state. For example, the operator can start or stop services.

Configurator

The configurator role has monitor permissions and can change the application server configuration.

Deployer

The deployer role can perform both configuration actions and runtime operations on applications.

Monitor

The monitor role has the least permissions. This role primarily confines the user to viewing the application server configuration and current state.

iscadmins

The iscadmins role has administrator privileges for managing users and groups from within the console only.

To manage users and groups, click Users and Groups in the console navigation tree. Click either Manage Users or Manage Groups.

Auditor

The auditor can view and modify the configuration settings for the security auditing subsystem. The auditor role includes the monitor role.

Information Value
Data type: String
Range: Administrator, Operator, Configurator, Monitor, Deployer and iscadmins

Other arbitrary administrative roles might also be visible in the console collection table. Other contributors to the console might create these additional roles, which can be used for applications that are deployed to the console.


Related concepts

  • Fine-grained administrative security in heterogeneous and single-server environments

    Administrative console buttons

    Administrative console page features

    Administrative console scope settings

    Administrative console preference settings