Assigning users to administrator roles

 

Assigning users to administrator roles

The following steps are needed to assign users to administrative roles.

In the administrative console, click System Administration > Console settings . Click either Console Users or Console Groups.

  1. To add a user or a group, click Add on the Console users or Console groups panel.

  2. To add a new administrator user, enter a user identity in the User field, highlight Administrator , and click OK. If there is no validation error, the specified user is displayed with the assigned security role.

  3. To add a new administrative group, either enter a group name in the Specify group field or select EVERYONE or ALL AUTHENTICATED from the Select from special subject menu, and click OK . If no validation error exists, the specified group or special subject displays with the assigned security role.

  4. To remove a user or group assignment, click Remove on the Console Users or the Console Groups panel. On the Console Users or the Console Groups panel, select the check box of the user or group to remove and click OK .

  5. To manage the set of users or groups to display, expand the filter folder on the right panel and modify the filter. For example, setting the filter to user* only displays users with the user prefix.

  6. After the modifications are complete, click Save to save the mappings.

  7. Restart the server for changes to take effect.

  8. Restart the application server.

  9. Shut down the nodes, node agents, and the deployment manager.

  10. Verify that Java processes are not running. If they are running, discontinue these processes.

  11. Restart the deployment manager.

  12. Resynchronize the nodes. To resynchronize the nodes, run the profile_root/bin/syncNode script from the Qshell command line for each node. For more information, see the syncNode command.

  13. Restart the nodes. To restart the nodes, run the install_root/bin/startNode script from the Qshell command line for each node. For more information, see the startNode command.

  14. Start any clusters, if applicable.

 

What to do next

The task of assigning users and groups to administrative roles is performed to identify users for performing WebSphere Application Server administrative functions. Administrator roles are used to control access to WebSphere Application Server administrative functions. There are four roles: administrator, configurator, operator and monitor.

Administrator role

Users and groups assigned to the administrator role can perform all administrative operations and can set up both Java 2 Platform, Enterprise Edition (J2EE) role-based and Java 2 security policy.

Configurator role

Users assigned to the configurator role can perform all of the day-to-day configuration tasks including installing and uninstalling applications, assigning users and groups to role mapping for applications, setting run-as configurations, setting up
Java 2 security permissions for applications, and customizing Common Secure Interoperability Version 2 (CSIv2), Security Authentication Service (SAS), and Secure Sockets Layer (SSL) configurations.

Operator role

Users assigned to the operator role can view the WebSphere Application Server configuration and its current state, but also can change the run-time state such as stopping and starting services.

Monitor role

Users assigned the monitor state can view the WebSphere Application server configuration and its current state only.

Before you assign users to administrative roles (administrator, configurator, operator, and monitor), set up your user registry, which can be Lightweight Directory Access Protocol (LDAP), local OS, or a custom registry. You can set up your user registries without enabling security.

After you assign users to administrative roles, restart the Deployment Manager for the new roles to take effect. However, the administrative resources are not protected until you enable security.


Sub-topics
Console groups and CORBA naming service groups

Related concepts
Role-based authorization
Access control exception
Administrative console and naming service authorization

Related tasks
Assigning users and groups to roles
Assigning users to RunAs roles

Related reference
syncNode command
startNode command



Searchable topic ID: tsec_tselugradro