Fine-grained administrative security in heterogeneous and single-server environments
Use fine-grained administrative security in heterogeneous or single-server environments. This capability enables us to use fine-grained administrative security for nodes that were created on different versions of the product, and applications that are grouped and placed in different authorization groups.
Fine-grained administrative security in a heterogeneous environment
Product support of heterogeneous systems enables the deployment manager node to run at the currently installed version of the product, while other nodes run at lower versions of the product that are compatible with the currently installed version.
Because the configurations that are done in the deployment manager node are always at the version of the product on which we are currently running, fine-grained administrative security can be enforced when configuring resources that belong to earlier versions. However, run-time code for versions lower than v6.1 cannot enforce fine-grained administrative security. Therefore, any resource instance that is not part of a Version 6.1 or higher node cannot be added to an authorization group.
Fine-grained administrative security in a heterogeneous environment has the following requirements:
- Only nodes running WebSphere Application Server v9.0 can be part of an administrative authorization group.
- Only servers running in a WebSphere Application Server v9.0 node can be part of an administrative authorization group.
- Only applications that are targeted on servers running on WAS v9.0 can be part of an administrative authorization group.
- If a cluster spans nodes of multiple releases, it cannot be part of an administrative authorization group.
- If a cluster spans nodes of multiple releases, none of its members can be part of an administrative authorization group.
- If an application is targeted on a cluster that spans multiple releases, that application cannot be part of an administrative authorization group.
Fine-grained administrative security in a single-server environment
We can also use fine-grained administrative security in a single-server environment. This capability means that we can group various applications in the single server, and place them in different authorization groups. Therefore, different authorization constraints might exist for different applications.
Life cycle of fine-grained administrative resource
An administrative resource that was once part of an authorization group continues to be part of that authorization group until one of the following events occurs:
- The administrative resource is removed from the authorization group. In this instance, the administrative resource belongs to the cell-level authorization group.
- The administrative resource is removed from the configuration. In this instance, the administrative resource does not exist in the configuration, but still exists in the authorization group. Remove this administrative resource from the authorization group.
After the administrative resource is removed from the authorization group, the administrative authorizer runtime must be notified using the AuthorizationManager refreshAll MBean method.
The refreshAll command must be invoked after AdminConfig.save() and sync nodes. For example:
JACL:
// Get AuthorizationGroup Mbean wsadmin> set agBean [$AdminControl queryNames type=AuthorizationGroupManager,process=dmgr,*] wsadmin> $AdminControl invoke &agBean refreshAllJYTHON:
// Get AuthorizationGroup Mbean wsadmin> set agBean AdminControl.queryNames('type=AuthorizationGroupManager,process=dmgr,*') wsadmin> AdminControl.invoke(agBean, 'refreshAll')The server restart is no longer needed.
Each application server in the cell will be refreshed automatically when the refreshAll command is issued to the AuthorizationGroupManager MBean in the deployment manager or an administrative agent. All registered servers will be notified.
Related:
Fine-grained administrative security Role-based authorization Administrative roles