You can assign users and groups to roles if you are using WebSphere® Application Server
authorization for Java™ Platform, Enterprise Edition (Java EE) roles.
Before you begin
Before you perform this task:
- Secure the web applications and Enterprise JavaBeans (EJB) applications
where new roles are created and assigned to web and enterprise bean resources.
- Create all the roles in your application.
- Verify that you have properly configured the user registry that contains the users that you want
to assign. It is preferable to have security turned on with the user registry of your choice before
beginning this process.
- Make sure that if you change anything in the security configuration you save the configuration
and restart the server before the changes become effective. For example, enable security or change
the user registry.
About this task
These steps are common for both installing an application and modifying an existing application.
If the application contains roles, you see the Security role to user/group mapping link during
application installation and also during application management, as a link in the Additional
properties section.
Procedure
- Access the administrative console.
Type http://localhost:port_number/ibm/console in a web
browser.
Type http://server_name:port_number/ibm/console in a
web browser.
- Click Applications > Application Types > WebSphere enterprise
applications > application_name .
- Under Detail properties, click Security role to user/group mapping.
A
list of all the roles that belong to this application is displayed. If the roles already have users,
or if one of the special subjects, AllAuthenticatedUsers, AllAuthenticatedInTrustedRealms, or
Everyone is assigned, they display here.
- To assign the special subjects, select either the Everyone or the All
Authenticated in Application's Realm option for the appropriate roles.
- To assign users or groups, select the role.
You can select multiple roles at
the same time, if the same users or groups are assigned to all the roles.
- Click Look up users or Look up groups.
- You can search for appropriate users and groups from the user registry or you can add
a user/group role mapping and not perform the search. You activate either of these options by
clicking Search.
See the next steps for the appropriate option you require.
- Get the appropriate users and groups from the user registry Complete the Limit and
the Search string fields by clicking Search.
The Limit field limits the number of users that are obtained and displayed from the user
registry. The pattern is a searchable pattern matching one or more users and groups. For example,
user* lists users like user1, user2. A pattern of asterisk (*) indicates all users or
groups.
Use the limit and the search strings cautiously so as not to overwhelm the user registry.
When you use large user registries such as Lightweight Directory Access Protocol (LDAP) where
information on thousands of users and groups resides, a search for a large number of users or groups
can make the system slow and can make it fail. When more entries exist than requests for entries, a
message is displayed. You can refine your search until you have the required list.
If the
search string you are using has no matches, a NULL error message is displayed. This message is
informational and does not necessarily indicate an error, as it is valid to have no entries matching
your selected criteria.
- Add a user/group role mapping
Add a user/group role mapping by clicking Search. Add IdP realms to the list of
inbound trusted realms. For each Identity provider that is used with your WebSphere Application
Server service provider, you must grant inbound trust to all the realms that are used by the
identity provider.
- Click .
- Click .
- Fill in the external realm name.
- Click and .
Skip remaining steps.
- Select the users and groups to include as members of these roles from the
Available field and click >> to add them to the roles.
- To remove existing users and groups, select them from the Selected field and click
<<.
When removing existing users and groups from roles, use caution if those
same roles are used as RunAs roles.
For example, if the user1 user is assigned to the role1 RunAs
role and you try to remove the user1 user from the role1 role, the administrative console validation
does not delete the user. A user can only be part of a RunAs role if the user is already in a role
either directly or indirectly through a group. In this case, the user1 user is in the role1 role.
For more information on the validation checks that are performed between RunAs role mapping and user
and group mapping to roles, see Assigning users to RunAs roles.
- Click OK.
If any validation problems exist between the role assignments
and the RunAs role assignments, the changes are not committed and an error message that indicates
the problem is displayed. If a problem exists, make sure that the user in the RunAs role is also a
member of the regular role. If the regular role contains a group that contains the user in the RunAs
role, make sure that the group is assigned to the role using the administrative console. Follow
steps 4 and 5. Avoid using any process where the complete name of the group, host name, group name,
or distinguished name (DN) is not used.
Results
The user and group information is added to the binding file in the application. This
information is used later for authorization purposes.
Note: If you change your realm you must repeat this process with the new realm name.
What to do next
This task is required to assign users and groups to roles, which enables the correct users
and groups to access a secured application. If you are installing an application, complete your
installation. After the application is installed and running you can access your resources according
to the user and group mapping that you did in this task. If you manage applications and modify the
users and groups to role mapping, make sure you save, stop, and restart the application so that the
changes become effective. Try accessing the Java EE resources in the application to verify that the changes
are effective. Note: Depending upon how your active user registry is configured, the search results
of security user or group role mappings are displayed in different formats. With federated
repository, LDAP, file-based and custom registries can be used. WebSphere Application Server can
uniquely identify users from various registries by the user names listed in the table.
Attention: In a distributed environment, when you install WebSphere
Application Server with samples, enable security using federated repositories, and start the server1
server with sample applications, the server might create exceptions. However, the server starts
successfully. The deployment manager did not create user and group samples when it created the
deployment manager profile. To resolve exceptions caused by the samples failing to load, create your
own sample users and groups. In the administrative console, do the following:
- Click Users and Groups > Manage Users.
- Create the samples user and the sampadmn group. The samples user is a
member of the sampadmn group.
For more assistance, refer to the "Managing users" help topic by clicking
More information
about this page on the Manage Users pane.