Assign users and groups to roles

This topic assumes that all the roles are already created in your application. Also, you need to make sure that the user registry used is the current or active user registry. It is preferable to have the security turned on with the user registry of your choice before you begin this process. Make sure that if you have changed anything in the security configuration (for example, enabled security or changed user registry) save the configuration and restart the server before the changes become effective.

Because the default active registry is LocalOS it is not necessary (though it is recommended) to enable security if you want to use the LocalOS registry as your registry to assign users and groups to roles. You can enable security after the users and groups are assigned in this case. The advantage of enabling security with the appropriate registry before proceeding with this task is that you can make sure you have a valid security setup (which includes checking the user registry configuration), and you can avoid problems with using the registry.

These steps are common for both installing an application and modifying an existing application. If the application contains roles, you see the Map security roles to users/groups link during installation application (as one of the steps) and also during application management.

To assign users and groups to security roles, perform these steps in the administrative console:

  1. During the application installation process, click Map security roles to users/groups. All roles that belong to the application are listed. If the roles are already assigned to users or special subjects (such as All Authenticated and Everyone), they are listed here.

  2. To assign the special subjects, select Everyone or All Authenticated for the appropriate roles.

  3. To assign users or groups, select the role (multiple roles can be selected at the same time if the same users or groups are assigned to all the roles), and click Lookup Users or Lookup groups.

  4. Get the appropriate users and groups from the registry by filling in the limit (number of items) and the Search String fields and then clicking Search.

    The limit field limits the number of users that are obtained and displayed from the registry. The pattern is a searchable pattern that matches one or more users or groups. For example, user* lists users such as user1 and user2. A pattern of * indicates all users or groups. Use the limit and the search strings cautiously so as not to overwhelm the registry. When you use large registries (such as LDAP) where thousands of user and group information resides, a search for a large number of users or groups can make the system very slow, and the system may even fail.

    A message appears at the top of the panel when a search results in more entries than you requested. You can refine your search (limit or the search pattern) until you have the required list.

  5. From the Available box, select the users and groups that should be assigned to the role, and click >> to add them to the role.

  6. To remove existing users or groups, select them from the Selected box, and click << to remove them. When you remove existing users or groups from a role, take care if that same role is used as the RunAs role. It is required that the user that is assigned to the RunAs role must also be defined in another role, either directly or indirectly (through a group). For more information on the validation checks that are performed between mapping RunAs roles and mapping users and groups to roles, see Map users to RunAs roles.

  7. Click OK.

    If there are any validation problems between the role assignments and the RunAs role assignments, the changes are not committed, and an error message appears. If there is a problem, make sure that the user in RunAs role is also a member of the regular role. If the regular role contains a group that contains the user in the RunAs role, make sure that the group is assigned to the role through the administrative console. Make sure that the complete name or distinguished name of the group is used. The Application Assembly Tool and other manual processes do not define the complete group name.

The users and groups information is added to the binding file in the application. The binding file is later used for authorization purposes.