Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows
Enable application groups
Use the information in this file to enable applications groups within the database user registry with members contained in the LDAP user registry you configured.
Application groups is a concept that allows you to define user groups within the database user registry with members (users or groups) contained in the LDAP user registry you configured. The benefit of application groups is that you can create Groups that are only used in IBM® WebSphere® Portal Express. You can use application groups in the following scenarios:
- Read-only LDAP
- If you have a read-only LDAP, you cannot change the group membership of users and groups. If you need to define access rights for certain users that are in different groups, you can create an Application group for these users with the required access rights.
- Special group setup for WebSphere Portal Express
- In this scenario you need to setup a special group hierarchy that is only used by WebSphere Portal Express and not by other applications that access your LDAP. This can help you apply special access control rules just for WebSphere Portal Express as the roles apply to all members of the group as well.
Application groups only apply to WebSphere Portal Express; it does not apply to external security managers. The following prerequisites are required to enable application groups:
- Ensure that you configured the database you want to work with.
- Ensure that the LDAP software is installed and any setup required for WebSphere Portal Express has been performed.
- Enable security, per your LDAP information.
You can configure your LDAP with or without realm support and with a lookaside database if required.
Use the following steps to enable application groups:
- Open the portal_server_root/wmm/wmm.xml file and make the following changes.
- Set the horizontalPartitioning="true" property and copy the following lines to the <repositories>...</repositories>
section:
<federationRepository name="wmmDBFederation" UUID="DB1" supportTranslation="true" adapterClassName="com.ibm.ws.wmm.db.DataBaseFederationAdapter" dataSourceName="jdbc/wpsdbDS" databaseType="DB2" dataAccessManagerClassName="com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao"/>
Use the following table to make adjustments depending on the type of database you are using:databaseType dataAccessManagerClassName db2 com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao oracle com.ibm.ws.wmm.db.dao.oracle.WMMOracleDao sqlserver com.ibm.ws.wmm.db.dao.sqlserver.WMMSQLServerDao - Copy the following lines to the <repositories>...<repositories>
section:
<databaseRepository name="wmmDB" UUID="DB2" supportTransactions="true" wmmGenerateExtId="true" adapterClassName="com.ibm.ws.wmm.db.DatabaseRepository" supportDynamicAttributes="true" supportGetPersonByAccountName="false" profileRepositoryForGroups="DB2" dataSourceName="jdbc/wpsdbDS" databaseType="DB2" dataAccessManagerClassName="com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao" saltLength="12" dbEncryptionKey="rZ15ws0ely9yHk3zCs3sTMv/ho8fY17s"> <readMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </readMemberType> <createMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </createMemberType> <updateMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </updateMemberType> <deleteMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </deleteMemberType> <renameMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </renameMemberType> <moveMemberType> <memberType name="Person" /> <memberType name="Group" /> <memberType name="Organization" /> <memberType name="OrganizationalUnit" /> </moveMemberType> <nodeMaps> <nodeMap node="o=Default Organization" pluginNode="o=Default Organization" /> </nodeMaps> </databaseRepository>Use the following table to make adjustments depending on the type of database you are using:databaseType dataAccessManagerClassName db2 com.ibm.ws.wmm.db.dao.db2.WMMDB2Dao oracle com.ibm.ws.wmm.db.dao.oracle.WMMOracleDao sqlserver com.ibm.ws.wmm.db.dao.sqlserver.WMMSQLServerDao - Search for the <supportedMemberType name="Group" tag.
Ensure the tag looks as follows:
<supportedMemberType name="Group" rdnAttrTypes="cn" defaultParentMember="o=Default Organization" defaultProfileRepository="DB2"/>
- Search for the <ldapRepository tag and add ;DB2 to the profileRepositoryForGroups parameter. The tag may look as follows:
<ldapRepository name="wmmLDAP" UUID="LDAP1" adapterClassName="com.ibm.ws.wmm.ldap.ibmdir.IBMDirectoryAdapterImpl" supportDynamicAttributes="false" configurationFile="wmmLDAPServerAttributes.xml" wmmGenerateExtId="false" supportGetPersonByAccountName="true" profileRepositoryForGroups="LDAP1;DB2" ...
- Set the horizontalPartitioning="true" property and copy the following lines to the <repositories>...</repositories>
section:
- Perform the following step if using the multiple realms configuration (WMMUR): Open the portal_server_root/wmm/wmmur.xml file and make the following changes.
- For all realms where the created groups should be stored in the WMMDB, set the following: <node wmmnode="o=Default Organization" defaultParent="Group" />
- Add the following additional wmmNode to the realms that will contain the application groups: <node wmmnode="o=Default Organization" />.
- Restart the portal server.