Verify external authorization to Security Access Manager
After configuring HCL WebSphere Portal to use Security Access Manager for externalized authorization, verify that it works properly before continuing with any additional ConfigEngine tasks.
Verify that Security Access Manager is working properly:
- Verify the topology matches the topology described in the protected object space. For example, ensure the value of the wp.ac.impl.PDroot parameter exists in the Security Access Manager protected object space.
- To verify that at least one user, typically the administrator, has the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role:
pdadmin> acl show WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1
If no entry is found, add the administrator to the Administrator@VIRTUAL/EXTERNAL ACCESS CONTROL_1 role.
pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set user wpsadmin T[WPS]m
pdadmin> acl modify WPS_Administrator-VIRTUAL_wps-EXTERNAL_ACCESS_CONTROL_1 set group wpsadmins T[WPS]m
where wpsadmin is the administrator user ID and wpsadmins is the administrator group.
- Perform the following steps from the Resource Permissions portlet:
- Go to:
Resource type > Assign Access icon > Edit Role icon > Add
- Search for Users or User Groups or click the pull down for the Search by option where the default is set to All available to select specific users or user groups.
Click OK. An informational message box should display the message that members were successfully added to the role.
- Optional: Explicitly assign additional roles. If we do not assign at least one user or group to each role type for the resource, use the external security manager interface to create this role type later. For example, if we do not assign any users or groups to the Editor role type for the resource, then use the external security manager interface to create the Editor role type later.
- Click the Externalize icon for the resource. These steps move every role defined for each resource we assigned to the Security Access Manager protected object space. One ACL is created for each externalized role.
- Add users to the ACLs attached to the role types on that resource using either the Security Access Manager GUI or the pdadmin command line.
If we log on as an administrator to externalize resources to Security Access Manager,
- We must be a member of the wpsadmins group.
- The wpsadmins group must appear in the VIRTUAL/EXTERNAL_ACCESS_CONTROL_1 ACL.
Parent Security Access Manager