WAS v8.5 > Set up the application serving environment > Manage profiles > Manage profiles for non-root usersGranting write permission for profile-related tasks
The installer can grant write permission of the appropriate files and directories to a non-root user. The non-root user can then create the profile. The installer can create a group for users who are authorized to create profiles, or the installer can give individual users the authority to create profiles. The following example task shows how to create a group that is authorized to create profiles.
This task assumes a basic familiarity with system commands.
This task uses the following terms:
- Root users refers to:
- Root users
- Administrators
- Non-root users refers to:
- Non-root users
- Non-administrators
- Installer refers to a root user or a non-root user.
- Log on as the installer to the system where the product is installed.
- Create the profilers group used to create profiles.
Read the documentation for the operating system for information about how to create groups.
- Create a user named user1 to create profiles.
Read the documentation for the operating system for information on how to create users.
- Add the installer and user1 to the profilers group.
- Log off and log back on again as the installer to use the new group.
- As the installer, use operating system tools to change directory and file permissions.
The following example assumes the installation root directory is /opt/IBM/WebSphere/AppServer:
chgrp profilers /opt/IBM/WebSphere/AppServer/logs/manageprofiles chmod g+wr /opt/IBM/WebSphere/AppServer/logs/manageprofiles chgrp profilers /opt/IBM/WebSphere/AppServer/properties chmod g+wr /opt/IBM/WebSphere/AppServer/properties chgrp profilers /opt/IBM/WebSphere/AppServer/properties/fsdb chmod g+wr /opt/IBM/WebSphere/AppServer/properties/fsdb chgrp profilers /opt/IBM/WebSphere/AppServer/properties/profileRegistry.xml chmod g+wr /opt/IBM/WebSphere/AppServer/properties/profileRegistry.xml chgrp -R profilers /opt/IBM/WebSphere/AppServer/profileTemplates
chmod -R g+wr /opt/IBM/WebSphere/AppServer/profileTemplates/default/documents
The ownership of files is preserved when the files are copied to the profile directory during profile creation. You granted write permission to the profile directory so that files copied to the profile directory can be modified as part of the profile creation process. Files that are already in the profileTemplate directory structure prior to the start of profile creation are not modified during profile creation.
chgrp profilers /opt/IBM/WebSphere/AppServer/properties/Profiles.menu chmod g+wr /opt/IBM/WebSphere/AppServer/properties/Profiles.menuThe following example assumes the installation root directory is C:\Program Files\IBM\WebSphere\AppServer. Follow instructions in the Windows documentation to give the profilers group read and write permission to the following directories and their files:
C:\Program Files\IBM\WebSphere\AppServer\logs\manageprofiles C:\Program Files\IBM\WebSphere\AppServer\properties C:\Program Files\IBM\WebSphere\AppServer\properties\fsdb C:\Program Files\IBM\WebSphere\AppServer\properties\profileRegistry.xmlYou might have to change the permissions on additional files if the non-root user encounters permission errors. If you authorize a non-root user to delete a profile, for example, the user might have to delete the following file:
app_server_root/properties/profileRegistry.xml_LOCK
app_server_root\properties\profileRegistry.xml_LOCK
Give write access to the non-root user for the file to authorize the user to delete the file. If the non-root user still cannot delete the profile, then the installer can delete the profile.
- Make the configuration directory accessible to non-root users.
Perform one of the following actions:
- Redirect pointers to the configuration directory to a location other than app_server_root/configuration.
Point to a directory that is writable by non-root users. On line 125 of app_server_root/bin/setupCmdLine.sh, for example, change
OSGI_CFG="-Dosgi.configuration.area=$WAS_HOME/configuration"
toOSGI_CFG="-Dosgi.configuration.area=writable_directory/configuration"
- Make the app_server_root/configuration directory writable by non-root users.
Results
The installer created the profilers group and gave the group proper permissions to certain directories and files to create profiles.
These directories and files are the only ones in the installation root of the product to which a non-root user needs to write to create profiles.
The non-root user that belongs to the profilers group can create profiles in a directory the non-root user owns and to which the non-root user has write permission. However, the non-root user cannot create profiles in the installation root directory of the product.
A non-root user ID can manage multiple profiles. For a given profile, have the same non-root user ID manage the entire profile.
The non-root user can use the same tasks to manage a profile the root user uses.