Assign users to RunAs roles

This topic assumes that all the RunAs roles are already created in your application. Because the user in the RunAs role can only be entered if that user (or a group to which the user belongs) is already part of the regular role, the assigning users and groups to security roles task should be completed before this task. Also, the user registry requirements are the same as in the case of assigning users and groups to security roles task.

As mentioned above, you can only add a user to RunAs role if that user (or a group that the user belongs to) is already a member of that role. The administrative console checks this logic when the Apply or OK buttons are pressed. If the check fails, the change is not made and an error message is displayed at the top of the panel.

If the special subjects Everyone or All Authenticated are assigned to a role, then no checking takes place for that role.

The checking is done every time the Apply button in this panel is clicked or when the OK button in the Map security roles to users/groups panel is clicked. The check makes sure that all of the users that you mapped to RunAs roles exist in the user registry. Note that if a RunAs role has been assigned to both a user and a group to which that user belongs, then either the user or the group (not both) can be deleted from the Map security roles to users/groups panel.

Also, note that if you want to assign a user to a RunAs role and that user belongs to a group, use the administrative console (not the Application Assembly Tool or other process) to make the assignment. This avoids problems that arise in some situations. When you use the administrative console, the full name (or distinguished name) of the group is used. The list of groups that is obtained from the registry are in full-name format. Because the Application Assembly Tool and other processes define only a short name for the group (for example, group1 instead of CN=group1, o=myCompany.com), the verification check fails.

To map users to RunAs roles, perform these steps in the administrative console while you are installing your application:

  1. Click Map RunAs roles to users. The RunAs roles that belong to this application are listed. If users were assigned to the roles during assembly, the mappings are listed.

  2. To assign a user, select the role (multiple roles can be selected at the same time if the same user will be assigned to all the roles), and enter the user's name and password in the User Name and Password fields respectively. The user name that you enter can be either the short name (which is preferred) or the full name. The full name for a user is shown when you select users and groups from the registry. Click Apply.

  3. The user is authenticated with the active user registry. If authentication is successful, the administrative application checks that this user (or a group to which the user belongs) is mapped to the appropriate role (which is listed in the administrative console panel). If authentication fails, make sure that the user name and password are correct and that the active registry configuration is correct.

  4. To remove a user from RunAs role, select the role and click Remove.

The RunAs role user is added to the binding file in the application. The binding file is used for delegation purposes when J2EE resources are accessed.