Editing a fine-grained administrative authorization group using the administrative console
We can add or remove administrative resources to an administrative authorization group or edit an existing one.
We must be logged into the administrative console with the cell-level AdminSecurityManager authority or as the primary administrative user.
Tasks
- Navigate to Security > Administrative Authorization Groups. The Administrative Authorization Groups page displays a table that lists all of the current administrative authorization groups available in the cell.
- Click on the administrative authorization group in the table to edit.
- To add or remove resources from the administrative authorization group, select or clear them in the Resource section of the edit page. Resources displayed in black text are available for selection or clearing. Resources displayed in grey text are members of a different administrative authorization group and therefore cannot be edited for the current administrative authorization group.
The available filtering options are the following. Each option includes all the resources associated with that specific filtering option.
- All scopes. (The default view that displays the authorization group tree.)
- Clusters. (All of the resources associated with the clusters.)
- Web servers. (All of the resources associated with the Web servers.)
- Business-level applications. (All of the resources associated with the business-level applications.)
- Servers. (All of the resources associated with the servers.)
- Nodes. (All of the resources associated with the nodes.)
- Applications. (All of the resources associated with the applications.)
- Assets. (All of the resources associated with the assets.)
- Node groups. (All of the resources associated with the node groups.)
- Assigned scopes. (Display all of the scopes explicitly assigned to the current authorization group).
Nodes prior to WebSphere Application Server v6.1 in a mixed cell environment are filtered out of resource mapping.
- To remove a user or a group, do the following:
- To delete users, click Administrative user roles under the Additional Properties section. To delete groups, click Administrative group roles under the Additional Properties section. The appropriate edit page displays a table that lists all of the current users or groups and their associated roles, along with the user's login status.
- Click the check box for the name of the current user or group and then click Remove. The current user or group is no longer associated with the role and the role is no longer listed in the table. It is now ready to have a new user or group assigned to it.
- To add or to reassign a user or group role to this administrative authorization group, do the following:
- To add a user, click Administrative user roles under the Additional Properties section. To add a group, click Administrative group roles located under the Additional Properties section. The appropriate edit page displays a table that lists all of the current users or groups and their associated roles. The available roles are:
- Administrator
- An individual or group that uses the administrator role has the operator and configurator privileges plus additional privileges granted solely to the administrator role. For example, an administrator can complete the following tasks:
- Modify the server user ID and password.
- Configure authentication and authorization mechanisms.
- Enable or disable administrative security.
- Enable or disable Java 2 security.
- Change the LTPA password and generate keys.
- Create, update, or delete users in the federated repositories configuration.
- Create, update, or delete groups in the federated repositories configuration.
An administrator cannot map users and groups to the administrator roles.
- Configurator
- An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WAS configuration. The configurator can perform all the day-to-day configuration tasks. For example, a configurator can complete the following tasks:
- Create a resource.
- Map an application server.
- Install and uninstall an application.
- Deploy an application.
- Assign users and groups-to-role mapping for applications.
- Set up Java 2 security permissions for applications.
- Customize the CSIv2, SAS, and SSL configurations.
Important: SAS is supported only between v6.0.x and previous version servers that have been federated in a v6.1 cell.
- Deployer
- Users granted this role can perform both configuration actions and runtime operations on applications.
- Operator
- An individual or group that uses the operator role has monitor privileges plus ability to change the runtime state. For example, an operator can complete the following tasks:
- Stop and start the server.
- Monitor the server status in the administrative console.
.
- Monitor
- An individual or group that uses the monitor role has the least amount of privileges. A monitor can complete the following tasks:
- View the WAS configuration.
- View the current state of the Application Server.
- Admin Security Manager
- Use the Admin Security Manager role, we can assign users and groups to the administrative user roles and administrative group roles. However, an administrator cannot assign users and groups to the administrative user roles and administrative group roles including the Admin Security Manager role.
- Click Add....
- To add a new user or group, follow the instructions on the page to specify either a user name, group name, or Special subject. Highlight the desired role(s), and click OK. The specified users, groups, or Special subject are mapped to the security roles.
Related:
Role-based authorization Administrative roles and naming service authorization Create a fine-grained administrative authorization group