IBM SmartCloud Application Performance Management, Version 7.7.0.1

Configuring role-based authorization

Role-based authorization is used in IBM SmartCloud® Application Performance Management UI to assign applications to different users. Both Lightweight Directory Access Protocol (LDAP) registry and basic user registry (file system-based) can be used. Only one active registry is supported.

About this task

All roles, except apmAdmin, are view-only roles that are defined in the roles.xml file. The apmAdmin administrative role can modify applications. Administrators define users or groups in the basicRegistry.xml file. To use basic user registry, administrators must specify that the basicRegistry.xml file is used as the user repository in the server.xml file. To use an LDAP user registry, administrators must specify that the ldapRegistry.xml file is used as the user repository in the server.xml file. Administrators can define user or group mapping to roles in the server.xml file.

Users inherit authorizations from their groups. Administrators create new applications and assign view-only roles to users to access applications. All users that are associated with a view-only role can view the application, whether specified explicitly or implicitly.

The related XML files are in the following directories, where <APMUI_HOME> is the directory where SmartCloud Application Performance Management UI is installed:
  • basicRegistry.xml file: <APMUI_HOME>/usr/servers/apmui/basicRegistry.xml

    Users and groups are defined in this file if LDAP registry is not used.

    Sample basicRegistry.xml code:
    <basicRegistry id="basic" realm="customRealm">
	<user id="apmadmin" name="apmadmin" password="{xor}Pi8yLz4sLA=="/>
	<user id="user1" name="user1" password="{xor}TcqZ2c1Njo="/>
	<user id="user2" name="user2" password="{xor}TcqZ2c1Njo="/>
	<user password="{xor}TcqZ2c1Njo=" name="user10" id="user10"/>
	<user password="{xor}TcqZ2c1Njo=" name="user11" id="user11"/>
	<user password="{xor}TcqZ2c1Njo=" name="user20" id="user20"/>
	<group id="apmadmin" name="apmadmin">
			<member id="user1" name="user1"/>
			<member id="user2" name="user2"/>
	</group>
	<group id="apmviewer" name="apmviewer">
			<member id="user10" name="user10"/>
			<member id="user11" name="user11"/>
			<member id="user20" name="user20"/>
	</group>
</basicRegistry>

    User passwords can be plain text (not recommended) or encrypted with the help of the SecurityUtility Liberty tool in APMUI_home/bin/securityUtility encode, where APMUI_home is the installation path of SmartCloud Application Performance Management UI.

    Sample encryption code:
    securityUtility encode --encoding=aes --key=APMUI_KEY passw0rd
{aes}ACIlOwPKlItcKhTywvpKOouLbsUUOPvlnV98CTPfJsjK
  • ldapRegistry.xml file: <APMUI_HOME>/usr/shared/config/ldapRegistry.xml

    Refer to the sample configuration files that are supplied with Liberty for details: $wlp/templates/config/ldapRegistry.xml

    Sample ldapRegistry.xml code:
    <ldapRegistry id="IBMDirectoryServerLDAP" realm="SampleLdapIDSRealm" 
       host="host.domain.com" port="389" ignoreCase="true"        
       baseDN="o=domain,c=cn"         ldapType="IBM Tivoli Directory Server"
searchTimeout="1m" connectTimeout="2m"
reuseConnection="true">
				<idsFilters
				userFilter="(&(uid=%v)(objectclass=ePerson))"
				groupFilter="(&(cn=%v)(objectclass=groupOfNames))"
				userIdMap="*:uid"            groupIdMap="*:cn"
				groupMemberIdMap="groupOfNames:member" />
<contextPool enabled="false" initialSize="1" maxSize="0" timeout="0ms"
waitTime="3000ms" preferredSize="3"/>
</ldapRegistry>
  • roles.xml file: <APMUI_HOME>/usr/servers/apmui/roles.xml

    Each role is defined with the role-name tag name. The apmAdmin or ConsoleUser roles must not be modified here because they are predefined roles.

    Sample roles.xml code:
    <security-role>
<description>APM UI view-only role</description>
<role-name>apmViewer</role-name>
</security-role>
  • server.xml file: <APMUI_HOME>/usr/servers/apmui/server.xml

    The server.xml file defines mapping from users or groups to roles. Add mapping under the SmartCloud Application Performance Management UI. Do not remove mapping to ConsoleUser for all authenticated users

    Sample server.xml code:
    <application-bnd>
  <security-role name="apmViewer">
    <user name="user10"/>
    <user name="user11"/>
    <user name="apmUser1"/>
    <user name="apmUser2"/>
    <group name="apmViewer" />
  </security-role>
  <security-role name="apmAdmin">
    <user name="user20"/>
    <group name=“apmAdmin"/>
 	</security-role>
  <security-role name="ConsoleUser">
    <special-subject type="ALL_AUTHENTICATED_USERS" />
  </security-role>
</application-bnd>
Parent topic: Advanced configuration tasks

Feedback