Assign certain roles to users and groups to
control which sections of the local management interface and web services
they can access. By default, role-based authorization is disabled
on the appliance. You must first enable this function from the management
interface to make use of it.
About this task
With Management
Authorization, you can perform the following tasks:
The roles for a user session are determined when
a user first logs in. If the authorization configuration is modified
and deployed when a user is logged in, the changes take effect immediately.
You can customize the default roles to better suit
your environment. You can also remove all default roles and create
new ones from scratch.
Note: If you plan to use the included
default roles, you must carefully review these roles to ensure that
they are appropriate for your environment and usage.
The authorization settings do not affect the main system
account admin, which always has read and write
permission to all features. The admin account can
be used for recovery if needed.
Permissions
can be set for all features in the appliance except for the Home:
Appliance Dashboard. Any user who is able to authenticate
can view Home: Appliance Dashboard, even if
they are not assigned to any roles.
To ensure
complete flexibility with the role configuration, the permissions
for each feature are controlled separately. Some pages in the local
management interface, such as the
Management Authorization page,
use multiple features. As a result, users might need permissions for
more than one feature to use all of the features on a particular page
of the local management interface. For example, to access all of
the functions on the
Management Authorization page,
the user needs permissions for both of the following features:
- Account Management
- Management Authorization
If a user clicks a link or attempts to complete an action for which they
do not have the appropriate permission, an error message is returned.
The error message includes the details about which permission is required
for the selected action.
When you search for remote
LDAP users or groups, consider the following points:
- Users are assumed to be contained in the Base DN and
are identified based on the User Attribute that
is set on the Management Authentication page.
- Groups are also assumed to be contained in the Base
DN that is defined on the Management Authentication page.
- Groups are identified based on cn.
- Groups must be among the following types: group, groupofUniqueName,
or groupOfNames.
Authorization enforcement applies to the local
management interface, web services, and client certificate authentication.
- Authorization enforcement in the local management interface
- When a user logs in the local management interface, the menu displays
only the pages that the user has access to. When users attempt to go to a page to which they
do not have access, a page is displayed which explains that the user
does not have authorization to view the page. When a user views a
page with read-only permission, users cannot modify the configuration
or change the state of any services that are shown on the page. If
a user attempts to do so, a message is displayed stating that the
user does not have permission to perform the requested action.
- Authorization enforcement in web services
- If a user has read-permission for a feature, they are permitted
to perform GET requests against the associated Web
services. If a user has write-permissions on a feature, they can issue
any of the associated GET, POST, PUT,
and DELETE web services. When a user attempts to issue
a web service request that they are not authorized to perform, they
receive a response with the HTTP status code 403 Forbidden and
a message that states that they are not authorized to complete the transaction.
- Authorization enforcement in client certificate authentication
- If you want to use client certificates to authenticate to the
local management interface, ensure that the authorization framework
can map the DN of the presented client certificate
to a user that exists in the registry that is used for authentication.
For example, a certificate is presented with DN: cn=testUser,ou=qa,o=ibm,c=au.
When
you use a remote LDAP user registry for authentication, the authorization
decision is made for a user that matches the entire DN in the user
registry.
For example, a user that matches cn=testUser,ou=qa,o=ibm,c=au is
searched for in the remote LDAP user registry and the policy that
is associated with that user is enforced.
When you use the local
user database, the authorization decision is made for a user that
matches the CN of the presented DN.
For example, the user that is called testUser is
searched for in the local user database and the policy that is associated
with that user is enforced.
A user can be assigned multiple roles. In this
case, the user receives the highest cumulative permission from these
roles for each feature. For example, if they are assigned two roles
and one role has read-permission for a feature but the second role
has write-permission for the feature, the user is granted write-permission.
Note: The appliance caches authentication details to reduce
load on the user registry. The authentication details might be used
for up to 10 minutes after they are changed. This behavior can be
changed by using an advanced tuning parameter. Add the advanced tuning
parameter
lmi.authCache.baenabled with a value of
false to
disable this caching. See
Managing advanced tuning parameters.
A performance penalty is incurred when you
use this parameter. The user registry is queried when:
- A user logs in the local management interface through the browser.
- A request to the web services API by using Basic Authentication
is received.
There is some degradation of performance
in environments that make heavy use of the web services API by using
Basic Authentication.