Before you begin
Before
you perform this task:
- Secure the Web applications and EJB applications where new roles were
created and assigned to Web and Enterprise JavaBeans (EJB) resources.
- Create all the roles in your application.
- Verify that you have properly configured the user registry that contains
the users that you want to assign. It is preferable to have security turned
on with the user registry of your choice before beginning this process.
- Make sure that if you change anything in the security configuration (for
example, enable security or change the user registry) you save the configuration
and restart the server before the changes become effective.
Because the default active user registry is Local OS, it is not necessary,
although it is recommended, that you enable security if you want to use the
Local OS user registry to assign users and groups to roles. You can enable
security once the users and groups are assigned in this case. The advantage
of enabling security with the appropriate registry before proceeding with
this task is that you can validate the security setup (which includes checking
the user registry configuration) and avoid any problems using the registry.
Why and when to perform this task
These steps are common for both installing an application and modifying
an existing application. If the application contains roles, you see the Map
security roles to users/groups link during application installation and also
during application management, as a link in the Additional properties section.
Steps for this task
- Access the administrative console by typing http://localhost:9060/ibm/console in
a Web browser.
- Click Applications > Enterprise applications > application_name.
- Under Additional properties, click Map security roles to users/groups.
A list of all the roles that belong to this application displays. If
the roles already had users or special subjects (All Authenticated, Everyone)
assigned, they display here.
- To assign the special subjects, select either the Everyone or
the All Authenticated option for the appropriate roles.
- Click Apply to save any changes and then continue working
with user or group roles.
- To assign users or groups, select the role. You can
select multiple roles at the same time, if the same users or groups are assigned
to all the roles.
- Click Look up users or Look up groups.
- Get the appropriate users and groups from the registry by completing
the limit (number of items) and the Search String fields and
clicking Search. The limit field limits the number
of users that are obtained and displayed from the registry. The pattern is
a searchable pattern matching one or more users and groups. For example, user* lists
users like user1, user2. A pattern of asterisk (*) indicates all users or
groups.
Use the limit and the search strings cautiously so as not to overwhelm
the registry. When using large registries (like Lightweight Directory Access
Protocol (LDAP)) where information on thousands of users and groups resides,
a search for a large number of users or groups can make the system very slow
and can make it fail. When there are more entries than requests for entries,
a message displays on top of the panel. You can refine your search until you
have the required list.
- Select the users and groups to include as members of these roles
from the Available field and click >> to add them to the roles.
- To remove existing users and groups, select them from the Selected field
and click <<. When removing existing users and groups
from roles use caution if those same roles are used as RunAs roles.
For
example, if user1 is assigned to RunAs role, role1, and you try to remove
user1 from role1, the administrative console validation does not delete the
user since a user can only be a part of a RunAs role if the user is already
in a role (User1 should be in role1 in this case) either directly or indirectly
through a group. For more information on the validation checks that are performed
between RunAs role mapping and user and group mapping to roles, see the Assigning users to RunAs roles section.
- Click OK. If there are any validation problems
between the role assignments and the RunAs role assignments the changes are
not committed and an error message indicating the problem displays at the
top of the panel. If there is a problem, make sure that the user in the RunAs
role is also a member of the regular role. If the regular role contains a
group which contains the user in the RunAs role, make sure that the group
is assigned to the role using the administrative console. Follow steps 4 and
5. Avoid using the Application Server Toolkit or any other manual process
where the complete name of the group, host name, group name, or distinguished
name (DN) is not used.
Result
The user and group information is added to the binding file in the
application. This information is used later for authorization purposes.
What to do next
This task is required to assign users and groups to roles, which
enables the correct users and groups to access a secured application. If you
are installing an application, complete your installation. Once the application
is installed and running you can access your resources according to the user
and group mapping you did in this task. If you are managing applications and
have modified the users and groups to role mapping, make sure you save, stop
and restart the application so that the changes become effective. Try accessing
the J2EE resources in the application to verify that the changes are effective.