Assign users to administrative roles
WebSphere Application Server extended J2EE security role based access control to protect the WebSphere Application Server administrative subsystem. Four administrative roles have been defined to provide degrees of authority needed to perform certain WebSphere Application Server administrative functions from either the Web-based administrative console or the system management scripting interface. The authorization policy is only enforced when global security is enabled. The four administrative security roles are defined in the following table:
Role Description monitor The least privileged role which basically allows a user to view the WebSphere Application Server configuration and current state. configuration This role has monitor privilege plus the ability to change the WebSphere Application Server configuration. operator This role has monitor privilege plus the ability to change runtime state, such as starting or stopping services for example. administrator This role has operator and configuration privilege and the permission that is required to access sensitive data including server password, LTPA password and keys, and so on. When WebSphere Application Server global security is enabled, the administrative subsystem role-based access control is enforced. The administrative subsystem includes Security Server, UserRegistry, and all JMX MBeans. When security is enabled, both the Web-based administrative console and the administrative scripting tool requires users to provide the required authentication data. Moreover, the administrative console is designed so that the control functions that are displayed on the pages are adjusted according to the security roles a user has. For example, a user who has only the monitor role can only see non-sensitive configuration data. A user with the operator role can access buttons to change the system state.
The server identity specified when you enable global security is automatically mapped to the administrative role. Users and groups can be added to or removed from the administrative roles from the WebSphere Application Server Web-based administrative console at any time. However, a server restart is required for the changes to take effect. A best practice is to map a group, rather than specific users, to administrative roles because it is more flexible and easier to administer in the long run. By mapping a group to an administrative role, adding users to or removing users from the group occurs outside of WebSphere Application Server and does not require a server restart for the change to take effect.
In addition to mapping user or groups, a special subject can also be mapped to the administrative roles. A special subject is a generalization of a particular class of users. The AllAuthenticated special subject means that the access check of the administrative role ensures that the user who makes the request has at least been authenticated. The Everyone special subject means that anyone, authenticated or not, can perform the action, as if no security were enabled.
When global security is enabled, WebSphere Application Server servers run under the server identity which is defined under the active user registry configuration. Although it is not shown on administrative console and other tools, a special Server subject is mapped to the administrator role. This is why the WebSphere Application Server server runtime code, which runs under the server identity, would have the required authorization to execute runtime operations. If no other user has been assigned administrative roles, one can login to administrative console or to wsadmin scripting using server identity to perform administrative operations and to assign other users or groups to administrative roles. Because the server identity is assigned to the administrative role by default, the administrative security policy requires administrative role to perform the following operations:
- Change server ID and server password
- Enable or disable WebSphere Application Server global security
- Enforce or disable Java 2 Security
- Change LTPA password or generate keys
- Assign users and groups to administrative roles
When enabling security for the first time, you may perform the following steps to assign one or more users and groups to administrative roles. When global security is enabled, the following steps can be performed by users who have the administrative role. Before performing the following steps, one must configure the active user registry because user and group validation in the following steps depends on active user registry.
To assign users to administrative roles, perform these steps in the WebSphere administrative console:
In the administrative console, expand System Administration, and click either Console Users or Console Groups.
Perform the necessary tasks:
To add a user or a group, click Add.
To add a new administrative user, enter a user identity to the user text box and highlight one administrative role, and then click OK. If there is no validation error, the specified user is displayed with the assigned security role. To add a new administrative group, either enter a group name or select either EVERYONE or ALLAUTHENTICATED special subject, and then click OK. If there is no validation button, the specified group or special subject is displayed with the assigned security role.
To remove a user or group assignment, click the remove button on the Console Users or Console Groups panel. On the users or groups panel, click the check box of the user or group to be removed and then click OK.
To manage the set of users or groups to be displayed, expand the filter folder on the right side panel, and modify the filter text box. For example, setting the filter to user* allows only users with the user prefix to be displayed.
After modifications have been made, click Save.
Stop and restart your servers for the changes to take effect. After the server is restarted, all administrative resources are protected. Because the administrative security configuration is at the cell level, restart all servers.