Mapping users and resources using authorization group properties files
Use authorization group properties files to map users to administrative roles and resources to authorization groups.
Determine the property values that to set for an authorization group configuration.
Run: wsadmin -lang jython
Use a properties file to create or modify an authorization group object and map users to administrative roles or resources to groups.
Modify the following sample properties files for our environment and apply:
- Create an authorization group.
- Map users to administrative roles.
- Map resources to administrative groups.
Tasks
- Create an authorization group.
- Create a properties file that uses the createAuthorizationGroup command and names the group.
The following example creates an authorization group named ag1:
# # Header # CreateDeleteCommandProperties=true commandName=createAuthorizationGroup # # # Properties # authorizationGroupName=ag1 #String,required- Run the applyConfigProperties command.
Running the applyConfigProperties command applies the properties file. In this Jython example, the optional -reportFileName parameter produces a report named report.txt:
AdminTask.applyConfigProperties(['-propertiesFileName myObjectType.props -reportFileName report.txt'])
- Map users to administrative roles.
- Modify an AuthorizationGroup properties file so that it lists users for administrative roles.
To add a new user to a role, add the user to the role list. For example, to add user5 to the administrators role list, change administrators={} to administrators={user:user5,group:group1}.
To remove a user from a role, remove the user from the role list; for example, adminsecuritymanagers={user:user4}. To remove all users for a role, make the list empty.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=CellAuthorizationGroup # # # Properties # deployers={} name=CellAuthorizationGroup resources={} configurators={} monitors={} operators={} adminsecuritymanagers={user:user4} auditors={special:SERVERID,special:PRIMARYADMINID} administrators={user:user5,group:group1}- Run the applyConfigProperties command.
- Map resources to administrative groups.
- Modify an AuthorizationGroup properties file so that it lists resources.
To add a new resource to an authorization group, add the resource to the resources list. To remove a resource from an authorization group, remove the resource from the list.
The following example maps users to administrative roles of an authorization group and maps resources to an authorization group. An authorization group is used to enable fine-grained administrative security.
# # Header # ResourceType=AuthorizationGroup ImplementingResourceType=AuthorizationGroup ResourceId=AuthorizationGroup=ag1 # # # Properties # deployers={} name=ag1 resources={Cell=!{cellName}:Node=!{nodeName}:Server=!{serverName},Cell=!{cellName}:Deployment=myApp} configurators={} monitors={} operators={} adminsecuritymanagers={} auditors={} administrators={user:user5,group:group1} # EnvironmentVariablesSection # # Environment Variables cellName=myCell nodeName=myNode serverName=myServer- Run the applyConfigProperties command.
Use the properties file to configure and manage authorization groups.
What to do next
Save the changes to the configuration.
Create server, cluster, application, or authorization group objects using properties files and wsadmin scripting Deleting server, cluster, application, or authorization group objects using properties files Create, modifying, and deleting configuration objects using one properties file PropertiesBasedConfiguration .