Authorize access to administrative roles

We use the administrative console to assign users and groups to administrative roles and to identify users who can perform WAS administrative functions.

1. Set up a user registry.

2. Click...
   Users and Groups | [Administrative User Roles | Administrative Group Roles] | Add

3. Specify a user, then select the Administrator role.

   Once the user is added to the "Mapped to role" list, click OK.

4. To add a new administrative group, specify either a group name or a Special subject, highlight the Administrator role, and click OK.

   The specified group or special subject is mapped to the security role.

5. To remove a user or group assignment, click Remove.

   On the Console Users or the Console Groups panel, select the check box of the user or group to remove and click OK.

6. To manage the set of users or groups to display, click Show filter function on the User Roles or Group Roles panel.

   In the Search term(s) box, type a value, then click Go. For example, user* displays only users with the user prefix.

7. After the modifications are complete, click Save to save the mappings.

8. Restart the application server for changes to take effect.

9. Shut down the nodes, node agents, and the deployment manager.

10. Verify that Java processes are not running.

    If they are running, discontinue these processes.

11. Restart the deployment manager.

12. From each node, run...
    install_root/bin/syncNode

13. From each node, run...

    install_root/bin/startNode

14. Start any clusters, if applicable.

What to do next

After we assign users to administrative roles, we must restart the Deployment Manager for the new roles to take effect. However, the administrative resources are not protected until we enable security.

Subtopics

• Administrative user roles settings and CORBA naming service user settings
  
• Administrative group roles and CORBA naming service groups
  
• Assigning users to naming roles
  
• Propagate administrative role changes to ISAM
  
• migrateEAR utility for ISAM
  
• Assigning users from a foreign realm to the admin-authz.xml
  

Related:

Role-based authorization

Access control exception for Java 2 security

Administrative roles and naming service authorization

Authorizing access to resources

Assigning users and groups to roles

Assigning users to RunAs roles

(ZOS) z/OS Controlling access to console users when using a Local OS Registry

syncNode command

startNode command