WAS v8.5 > Set up the application serving environment > Manage profiles

Manage profiles for non-root users

The non-root user can receive permissions for files and directories so the non-root user can create a profile.

This task assumes a basic familiarity with the manageprofiles command, the Profile Management Tool, and system commands.

This task uses the following terms:

• Root users refers to:
  • Root users
  • Administrators

• Non-root users refers to:
  • Non-root users
  • Non-administrators

• Installer refers to a root user or a non-root user.

Remember: An ease-of-use limitation exists for non-root users who create profiles. Mechanisms within the Profile Management Tool that suggest unique names and port values are disabled for non-root users. The non-root user must change the default field values in the Profile Management Tool for the profile name, node name, and port assignments. Consider assigning non-root users a range of values for each of the fields. We can assign responsibility to the non-root users for adhering to their assigned value ranges and for maintaining the integrity of their own definitions.

Best practice: IBM recommends starting processes that run on the same profile with user IDs that have mutually compatible file permissions, meaning that each process can read or updated files the other processes create. This ensures the processes can access the same files without encountering a permission-denied error. For example, if you run the deployment manager as user wasuser and then also run the command line tool to generate plug-ins on that same profile, run the tool as user wasuser.

Tip: In WAS v8.5, files created by an Administrator outside of the Program Files directory are usable by non-Administrators. Therefore, profiles created outside of the Program Files directory can be used by non-Administrators to start the server and so on. Non-root users might typically need these tasks completed so they can start their own application servers in development environments. For instance, an application developer might test an application on a application server in a profile assigned to that application developer.

• Create a profile as an installer and assign ownership to a non-root user.
  

  This article describes how the installer creates a profile and assigns ownership of the profile directory to a non-root user so the non-root user can start the application server for a specific profile.

• Grant write permission of files and directories to a non-root user for profile creation.
  

  This article describes how an installer authorizes a group to certain files and directories so that non-root users in the group can create profiles.

• Install maintenance as an installer and change the ownership of profile-related files.
  

  This article describes how to install product maintenance and change the ownership of new profile files to the non-root user that owns the profile. The installer changes ownership of the files so the non-root user can then successfully start the application server.

Results

Depending on the tasks the installer followed, the installer has completed the following actions:

• Created a profile for a non-root user and assigned ownership of the profile directory to the non-root user
• Granted permission to the appropriate directories so that non-root users can create profiles
• After installing maintenance, changed ownership of new profile files in a directory that is owned by a non-root user, so the non-root user can successfully start the application server

Connections to the Derby database might not work, and you might see errors like the following in the logs:

java.io.FileNotFoundException: C:\Program Files\IBM\WebSphere\AppServer\derby\derby.log (Access is denied.)

This can happen when files under app_server_root are read-only. We can configure Derby to write its log to another location by setting the following property in the app_server_root/derby/derby.properties file

# This property can be set to make Derby log to System.err.  This is useful if you 
# do not have write permission to the default location: 
/opt/wasprofile/derby/derby.log derby.stream.error.field=java.lang.System.err

Depending on the tasks the installer completes, a non-root user can create a profile, start WebSphere Application Server, or do both.

Subtopics

• Assigning profile ownership to a non-root user
  An installer can create a profile and assign ownership of the profile directory to a non-root user so the non-root user can start the product for a specific profile.
• Granting write permission for profile-related tasks
  The installer can grant write permission of the appropriate files and directories to a non-root user. The non-root user can then create the profile. The installer can create a group for users who are authorized to create profiles, or the installer can give individual users the authority to create profiles. The following example task shows how to create a group that is authorized to create profiles.
• Change ownership for profile maintenance
  When an installer installs a maintenance package containing service for a profile that a non-root user owns, the installer owns any new files the maintenance package creates. The installer can change the ownership of the new files so that a non-root user can successfully start the product.

Related

Assigning profile ownership to a non-root user
Granting write permission for profile-related tasks
Change ownership for profile maintenance

+

Search Tips   |   Advanced Search