Enabling application groups

You can define user groups within the database user registry with members (users or groups) contained in the federated LDAP user registry you configured with application groups. The benefit of application groups is that you can create groups that are only used in IBM® WebSphere® Portal.

Before you begin

Before you enable application groups, from the Configuration Wizard run the Enable Federated Security configuration option to add all required federated LDAP user registries. Then, add all required database user registries. You must also set the Group entity type to the database user registry and the Person entity type to the LDAP user registry.

About this task

You can use application groups in the following scenarios:
Read-only LDAP
If you have a read-only LDAP, you cannot change the group membership of users and groups. If you need to define access rights for certain users that are in different groups, you can create an application group for these users with the required access rights.
Special group setup for WebSphere Portal
In this scenario, you need to set up a special group hierarchy that is used only by WebSphere Portal and not by other applications that access your LDAP server. This set up can help you apply special access control rules just for WebSphere Portal because the roles assigned to the application group also apply to all of its members.
Note: Application groups apply only to WebSphere Portal; it does not apply to external security managers. Also, application groups are not supported when you use the built-in file repository.

Perform the following steps to enable application groups:

Procedure

  1. Run the following task to enable application groups:
    Table 1. Task to enable application groups by operating system
    Operating system Task
    AIX® ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    IBM i ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Linux ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Solaris ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Windows ConfigEngine.bat wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root\ConfigEngine directory
    When you run the wp-create-ldap task, ldapid is the value that is specified in federated.ldap.id and when you run the wp-create-db task, the dbid is the value that is specified in federated.db.id
  2. Stop and restart the WebSphere_Portal server.