Rule-based user groups
Rule-based user groups for IBM WebSphere Portal define dynamic portal user groups. Rule-based user groups are implemented as a custom repository adapter for VMM, and are represented by...
- Unique group name
- Search filter rule expression
- Optional description
The portal handles them as normal portal user groups. They are in a special base distinguished name in the user realm hierarchy. Administrators can create, define, update, or delete them like other groups that use the VMM API in WAS or the PUMA in Portal. We can use these soft groups the same way as other portal user groups for assigning security role mappings, portal access permissions, or visibility rules. The rule-based user groups feature handles the correct membership determination for the users during run time. These groups are persisted in the portal database, not in the main portal user repository. You do not need to enter them into the LDAP.
What we can do with rule-based user groups...
- Define a rule-based user group including the syntax validation of the rule.
- Modify the rule or description of an existing rule-based user group rule or description including the syntax validation of the rule.
- Search for rule-based user groups based on the group name.
- Resolve the rule-based user group membership for particular users during run time.
- Display the members of a particular rule-based user group.
- Delete an existing rule-based user group.
Rule based user groups can contain only individual users, but not groups. After defining a rule-based user group, we cannot change the unique group name.
Database setup - Rule-based user groupsThe rule-based user groups feature stores the definitions of the rule-based user groups in a database table, including the name, rule, and description of the group. Before setting up rule-based user groups, use one of the following SQL statements to create the table.
DB2, Derby, and Cloudscape
CREATE TABLE Softgroups (ID INT NOT NULL GENERATED ALWAYS AS IDENTITY, GROUPNAME VARCHAR(128) NOT NULL, RULE VARCHAR(128) NOT NULL, DESCRIPTION VARCHAR(512), LASTMODIFIED TIMESTAMP, PRIMARY KEY (ID), UNIQUE (GROUPNAME));
SQL Server 2005
CREATE TABLE Softgroups (ID INT NOT NULL IDENTITY PRIMARY KEY, GROUPNAME VARCHAR(128) NOT NULL UNIQUE, RULE VARCHAR(128) NOT NULL, DESCRIPTION VARCHAR(512), LASTMODIFIED DATETIME);
Oracle
CREATE TABLE softgroups ( id INT, groupname VARCHAR(128) NOT NULL, rule VARCHAR(128) NOT NULL, description VARCHAR(512), lastmodified TIMESTAMP, primary key (id), UNIQUE (groupname) ); CREATE SEQUENCE softgroups_seq; CREATE TRIGGER softgroups_seq_trigger before INSERT ON softgroups FOR each ROW BEGIN IF ( :new.id IS NULL ) THEN SELECT softgroups_seq.nextval INTO :new.id FROM dual; END IF; END; /Oracle does not support auto-increment or identity feature directly as part of the ID column definition. Create a sequence and a trigger. For easy submission of the statement, make sure to add the final slash character (/). We can submit the statement by pressing the Enter key.
Database source configuration - Rule-based user groupsThe rule-based user groups adapter uses a Java data source to communicate with the database that holds the table for the rule-based groups.
Define a data source that references the JDBC driver and points to the database containing the groups table.
Create the data source and, if you have a portal cluster environment, map it to the cluster scope.
Before you continue with the next configuration step, run the Test connection operation in the WAS admin and verify success. Configure the rule-based user groups adapter later with the JNDI name of the data source.
Configure the VMM rule-based groups repositoryTo enable the VMM rule-based groups repository adapter, modify several VMM configuration files. In a cluster, we can change the configuration files directly on the dmgr and then synchronize the changes to all cluster nodes.
Configure the VMM repository and realm for rule-based user groups Modify wimconfig.xml to configure the VMM repository and realm.
- Edit...
PORTAL_HOME/config/cell_name/wim/config/wimconfig.xml
...and below the line...
config:configurationProvider
...insert...
<config:repositories adapterClassName="com.ibm.ws.wim.adapter.softgroups.SoftgroupsAdapter" id="Softgroups" isExtIdUnique="true" supportExternalName="false" supportPaging="false" supportSorting="false" supportTransactions="false"> <config:baseEntries name="o=softgroups" nameInRepository="o=softgroups"/> <config:CustomProperties name="dataSource" value="testDatasource"/> <config:CustomProperties name="dbSchema" value="test"/> <config:CustomProperties name="dbType" value="yourType"/> </config:repositories>
- Specify the following attributes:
dataSource The attribute must point to the correct JNDI name of the previously configured data source for the rule-based groups database. dbSchema The attribute must declare the database scheme that holds the rule-based groups table. dbType If the database server type is SQLServer, you need to declare the attribute dbType by specifying SQLServer as the value. For all other database server types, we can omit the value. Base entry specification We can set the base entry specification that defines the base distinguished name and suffix for rule based groups to a different value. name The name and the nameInRepository must be the same.
- Add the same base entry to all the user realms to which to add rule based groups. You must add it at least to the default realm.
<config:realmConfiguration defaultRealm="defaultWIMFileBasedRealm"> <config:realms delimiter="/" name="defaultWIMFileBasedRealm" securityUse="active"> <config:participatingBaseEntries name="o=defaultWIMFileBasedRealm"/> <config:participatingBaseEntries name="o=softgroups"/> <config:uniqueUserIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/> <config:userSecurityNameMapping propertyForInput="principalName" propertyForOutput="principalName"/> <config:userDisplayNameMapping propertyForInput="principalName" propertyForOutput="principalName"/> <config:uniqueGroupIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/> <config:groupSecurityNameMapping propertyForInput="cn" propertyForOutput="cn"/> <config:groupDisplayNameMapping propertyForInput="cn" propertyForOutput="cn"/> </config:realms> </config:realmConfiguration>
- For all other repositories defined in the file wimconfig.xml and containing users who to be members of rule-based groups, add the rule base groups repository as a <config:repositoriesForGroups> element.
... <config:baseEntries name="o=defaultWIMFileBasedRealm"/> <config:repositoriesForGroups>InternalFileRepository</config:repositoriesForGroups> <config:repositoriesForGroups>Softgroups</config:repositoriesForGroups> ...
Configure the rule attribute for the GroupIn addition to the repository configuration, define the rule attribute as a new attribute for the entity type Group.
- Edit the file wimxmlextension.xml in the directory PORTAL_HOME/config/cell_name/wim/model/. If the file does not exist yet, create it.
- Add the following attribute definitions:
<?xml version="1.0" encoding="UTF-8"?> <sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim"> <wim:schema> ... <wim:propertySchema nsURI="http://www.ibm.com/websphere/wim" dataType="String" multiValued="false" propertyName="rule"> <wim:applicableEntityTypeNames>Group</wim:applicableEntityTypeNames> </wim:propertySchema> ... </wim:schema> </sdo:datagraph>
- Restart the portal server for the VMM configuration changes to become effective. In a portal cluster environment, synchronize the changes and restart the complete cluster, including dmgr and node agents.
Parent: Users and groups
Related: Configure a data source using the administrative console WAS information center - http://www-01.ibm.com/software/webservers/appserv/was/library/v61/
Add attributes on Windows