WAS v8.5 > Script the application serving environment (wsadmin) > Use properties files to manage system configuration > Manage specific configuration objects using properties files > Work with security properties filesMap users and resources using authorization group properties files
We can use authorization group properties files to map users to administrative roles and resources to authorization groups.
Determine the property values to set for an authorization group configuration.
Start the wsadmin scripting tool. To start wsadmin using the Jython language, run the wsadmin -lang jython command from the bin directory of the server profile. Using a properties file, we can create or modify an authorization group object and map users to administrative roles or resources to groups.
This topic provides sample properties files that we can modify for the environment and apply:
- Create an authorization group.
- Map users to administrative roles.
- Map resources to administrative groups.
- Create an authorization group.
- Create a properties file that uses the createAuthorizationGroup command and names the group.
The following example creates an authorization group named ag1:
# # Header # CreateDeleteCommandProperties=true commandName=createAuthorizationGroup # # # Properties # authorizationGroupName=ag1 #String,required
- Run the applyConfigProperties command.
Running the applyConfigProperties command applies the properties file. In this Jython example, the optional -reportFileName parameter produces a report named report.txt:
AdminTask.applyConfigProperties(['-propertiesFileName myObjectType.props -reportFileName report.txt'])
- Map users to administrative roles.
- Modify an AuthorizationGroup properties file so that it lists users for administrative roles.
To add a new user to a role, add the user to the role list. For example, to add user5 to the administrators role list, change administrators={} to administrators={user:user5,group:group1}.
To remove a user from a role, remove the user from the role list; for example, adminsecuritymanagers={user:user4}. To remove all users for a role, make the list empty.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=CellAuthorizationGroup # # # Properties # deployers={} name=CellAuthorizationGroup resources={} configurators={} monitors={} operators={} adminsecuritymanagers={user:user4} auditors={special:SERVERID,special:PRIMARYADMINID} administrators={user:user5,group:group1}
- Run the applyConfigProperties command.
- Map resources to administrative groups.
- Modify an AuthorizationGroup properties file so that it lists resources.
To add a new resource to an authorization group, add the resource to the resources list. To remove a resource from an authorization group, remove the resource from the list.
The following example maps users to administrative roles of an authorization group and maps resources to an authorization group. An authorization group is used to enable fine-grained administrative security.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=AuthorizationGroup=ag1 # # # Properties # deployers={} name=ag1 resources={Cell=!{cellName}:Node=!{nodeName}:Server=!{serverName},Cell=!{cellName}:Deployment=myApp} configurators={} monitors={} operators={} adminsecuritymanagers={} auditors={} administrators={user:user5,group:group1} # EnvironmentVariablesSection # # Environment Variables cellName=myCell nodeName=myNode serverName=myServer
- Run the applyConfigProperties command.
Results
We can use the properties file to manage authorization groups.
Save the changes to your configuration.
Related
Create server, cluster, application, or authorization group objects using properties files and wsadmin scripting
Delete server, cluster, application, or authorization group objects using properties files
Create, modify, and delete configuration objects using one properties file
Reference:
PropertiesBasedConfiguration command group for AdminTask using wsadmin.sh