Access Control Data Management Service
The Access Control Data Management Service contains the configuration properties for Portal Access Control. The domain short names have to correspond to the domain names defined for the portal Data Store Service. In the WAS console, the portal Access Control Data Management Service is listed as...
WP AccessControlDataManagementService
The following set of properties is mandatory for each database domain containing resources that need to be protected by Portal Access Control:
- accessControlDataManagement.domain.domain_short_name.adminuser = full distinguished name of the administrative user for this domain
- Define the administrative user. Specify a full distinguished name that corresponds to a valid entry in the associated user repository. This property is mandatory.
- accessControlDataManagement.domain.domain_short_name.admingroup = full distinguished name of the administrative group for this domain
- Define the administrative group. Specify a full distinguished name that corresponds to a valid entry in the associated user repository. This property is mandatory.
- accessControlDataManagement.domain.domain_short_name.virtualresource = name of the virtual root resource of this domain
- Virtual root resource. The value is the name of a virtual resource that actually exists in the domain and represents the root of the protected resource hierarchy in this domain. This property is meant for internal use only; do not change its value.
The administrative user and group are granted administrator roles on the full hierarchy of protected resources starting from the virtual root resource of the domain defined with the third setting. These roles are granted in addition to the portal roles of the user or group and therefore not displayed in the Access Control portlets. A valid set of values to these properties could for example look like the following:
accessControlDataManagement.domain.rel.adminuser=uid=Bob,o=Your Company accessControlDataManagement.domain.rel.admingroup=cn=Admins,o=Your Company accessControlDataManagement.domain.rel.virtualresource=PORTAL
accessControlDataManagement.domain.cust.adminuser=uid=Bob,o=Your Company accessControlDataManagement.domain.cust.admingroup=cn=Admins,o=Your Company accessControlDataManagement.domain.cust.virtualresource=PORTAL
accessControlDataManagement.domain.comm.adminuser=uid=Bob,o=Your Company accessControlDataManagement.domain.comm.admingroup=cn=Admins,o=Your Company accessControlDataManagement.domain.comm.virtualresource=PORTAL
accessControlDataManagement.domain.jcr.adminuser=uid=Bob,o=Your Company accessControlDataManagement.domain.jcr.admingroup=cn=Admins,o=Your Company accessControlDataManagement.domain.jcr.virtualresource=PORTALThe following additional properties of the Access Control Data Management Service are optional:
- accessControlDataManagement.enableNestedGroups = (true)
- Determine whether the group membership of groups is exploited at all by the Portal Access Control component. Supported values are: true and false. Default is true.
- accessControlDataManagement.enableTargetResourceGroupInheritance = (false)
- Determine whether the group membership of groups is exploited by the Portal Access Control component for permission enforcement on users or groups. If we specify false, we can only get permissions on user groups via roles on the groups and on users via roles on the direct groups of which the user is a member. Supported values are: true and false. The default is false.
- accessControlDataManagement.reorderRoleNames = (false)
- Determine whether the role name contains the unique name or the title of the resource on which the role was created. Set true when we use an external authorization provider, such as IBM Security Access Manager, as this makes it easier to find the role names. Supported values are: true and false. The default is false.
- accessControlDataManagement.externalizeAllRoles = (false)
- This property is only applicable for externalization of resources through the user interface. the default value is false. If false, and a resource is externalized, then the following things happen:
- The resource and all descendants of this resource that are not private and not externalized so far are externalized.
- The roles and role mappings that exist on all resources that were identified in the previous step 1 are written into the external security manager object space.
- For the root resource that was chosen to be externalized, a role mapping for the Administrator role for the executing user is created in the external security manager object space.
If true, then in addition to the previous three steps, roles are created in the external security manager object space for all action sets for the root resource that have not already been created in steps 2 and 3.
- accessControlDataManagement.createAdminMappingxmlaccess = (true)
- This property is only applicable for externalization of resources through the XML Configuration Interface. If the property is set to false and a resource is externalized the following happens:
- The resource will be externalized.
- The roles and role mappings on the resource are written into the external security manager object space.
If true, then in addition to the two previous steps, a role mapping for the Administrator role is created for the executing user in the external security manager object space.
Connect to the user repository during startup
The portal to wait and retry connecting to the underlying user repository, and if it is not available during portal startup, change the following two properties. This might be necessary in scenarios where the user repository is only available in a certain time frame after the initialization of the portal startup. As the domain administrative users and groups have to be resolved, the portal cannot start without connecting to the user repository.
The service startup performs the specified number of attempts to connect to the user repository, each time waiting for the specified time interval before starting the next attempt. If none of the attempts is successful, the service startup quits with an exception.
- accessControlDataManagement.ldapFailoverNumberOfAttempts = ( 1 )
- Specify how many times the service startup attempts to connect to the user repository. The default is 1 (once).
- accessControlDataManagement.ldapFailoverInterval = ( 60 )
- Specify how long the service startup waits until it retries to connect to the user repository. This value is specified in seconds. The default is 60 seconds.