Assign users to RunAs roles
The RunAs role allows us to specify application-specific privileges for individual users to run specific tasks using another user identity. Before assigning RunAs roles complete the following tasks:
- Secure the web applications and the EJB applications where new RunAs roles are created and assigned to web and EJB resources.
- Create all the RunAs roles in the application. The user in the RunAs role can only be entered if that user or a group to which that user belongs is already part of the regular role.
- Assign users and groups to security roles.
- Verify that the user registry requirements are met.
These requirements are the same as those discussed in Assigning users and groups to roles. For example, if the role1 role is a role that is also used as a RunAs role, then the user1 user can be added to the RunAs role. The administrative console checks this logic when Apply or OK is clicked. If the check fails, the change is not made and an error message is displayed.
When a user ID and password is assigned to a RunAs role, validation occurs using the current active user registry configured. By default, the local operating system registry is set as the active user registry. Therefore, when an application is installed and security is disabled on the server, the local operating system registry is used to validate the user ID and password that is assigned to the RunAs Role. If the intended registry for the application is not local operative system, the validation fails. Therefore, map RunAs roles to users when the security is enabled on the server. However, if the active user registry and the intended registry after enabling security are the same, we can assign the user to a RunAs role when security is disabled.
If the Everyone or All Authenticated special subjects are assigned to a role, validation does not occur for that role.
Validation is done every time you click Apply in this panel or when you click OK in the Security role to user/group mapping panel. The check verifies that all the users in all the RunAs roles do exist directly or indirectly through a group in those roles in the Security role to user/group mappings panel. If a role is assigned both a user and a group to which that user belongs, we can delete either the user or the group from the Security role to user/group mapping panel.
If the RunAs role user belongs to a group and if that group is assigned to that role, make sure that the assignment of this group to the role is done through the administrative console and not through an assembly tool or other method. When using the administrative console, the full name of the group is used (for example, hostname\groupName in Windows systems and distinguished names (DN) in LDAP). During the check, all the groups to which the RunAs role user belongs are obtained from the user registry. Because the list of groups obtained from the user registry are the full names of the groups, the check works correctly. If the short name of a group is entered using an assembly tool, for example group1 instead of CN=group1, o=myCompany.com, this check fails.
These steps are common to both installing an application and modifying an existing application. If the application contains RunAs roles, we see the User RunAs roles link during application installation and also during managing applications as a link in the Additional properties section.
Assign users to RunAs roles
- Click...
Applications > Enterprise Applications > application_name > Detail Properties > Security role to user/group mapping
A list of all the RunAs roles that belong to this application display. If the roles already have users assigned, they display here.
- To assign a user, select the role. We can select multiple roles at the same time if the same user is assigned to all the roles.
- Enter the user's name and password in the designated fields. The user name entered can be either the short name, which is preferred, or the full name, as seen when getting users and groups from the user registry.
- Click Apply. The user is authenticated using the active user registry. If authentication is successful, a check is made to verify that this user or group is mapped to the role in the Map security roles to users and groups panel. If authentication fails, verify that the user and password are correct and that the active registry configuration is correct.
- To remove a user from a RunAs role, select the roles and click Remove.
The RunAs role user is added to the binding file in the application. This file is used for delegation purposes when accessing Java EE resources. This step is required to assign users to RunAs roles so that during delegation the appropriate user is used to invoke the EJB methods.
What to do next
If we are installing the application, complete installation. After the application is installed and running, we can access your resources according to the RunAS role mapping. Save the configuration.If we manage applications and modify User RunAs roles, make sure you save, stop, and restart the application so that the changes become effective. Try accessing your Java EE resources to verify that the new changes are in effect.
Subtopics
- Mapping users to RunAs roles using an assembly tool
- Ensure all unprotected 1.x methods have the correct level of protection
- Ensure all unprotected 2.x methods have the correct level of protection
- Correct use of the system identity
- User RunAs collection
Assigning users and groups to roles