Administrative agent security
Required security roles for administrative agent
Administrative tasks Required security roles Register/unregister a base (stand-alone) node with the administrative agent administrator Work with the administrative agent Administrative roles required for the operation being performed Work with the administrative subsystem, such as registered nodes Administrative roles required for the registered base node
Same security domain configuration
The administrative agent supports a security configuration where all the cells in the topology share the same user registry, and therefore, the same security domain.
For the administrative agent topology, when a user logs in to the JMX connector port of an administrative subsystem, or chooses the registered node from the administrative console, the authorization table for the chosen node is used.
For example, suppose two stand-alone application servers, Node1 and Node2, are registered with an administrative agent. User1 is authorized as administrator for Node1, but is not authorized for Node2. User2 is authorized as configurator for Node2, but is not authorized for Node1. User1 can administer, operate and configure Node1 and its resources. User2 can monitor and configure Node2 and its resources. Only User1 can register or unregister a node, Node1, with the administrative agent.
Do not use DMZ proxy
A DMZ proxy does not work with the administrative agent when security is enabled. Keep security enabled and do not use the administrative agent in a DMZ proxy environment.
Related:
Job manager security Administrative agent Administrative roles Administer nodes remotely using the job manager Administer jobs in a flexible management environment Administer nodes and resources Task overview: Securing resources