Access with authorization delegated to Decision Center
You configure security access for your users and delegate authorization to Decision Center.
- Establish the user registry, for example a connection to an LDAP or a basic file-based registry.
- Set the security realm to authenticate all users and delegate authorization to Decision Center
- Create an administrative user in the user registry to complete the initial Decision Center configuration.
- rtsAdministrator - Administrator access.
- rtsInstaller - Access to the Installation Settings Wizard in the Enterprise console.
- rtsConfigManager - Configuration manager access.
- rtsUser - Standard access.
After configuring security access to Decision Center, you complete the configuration of Decision Center. Then, you must create users and groups in the Decision Center database to make use of security and fined grained permissions (see Managing users from Decision Center.)
Step 1: Establish the user registry
- A registry of users from which the application server authenticates access to Decision Center.
- The Decision Center database, so that each authenticated user can receive a permission profile from Decision Center.
- For a basic registry, add your groups and user/passwords.
- For an LDAP, establish the connection with your users and groups.
Examples are provided at the end of this topic.
Step 2: Set the security realm
You must set the security realm so that the application server authenticates users and delegates authorization to Decision Center.
To do so, use the special subject feature for Liberty (see WebSphere: Authorization). Specifically, modify <WLP_HOME>/usr/servers/<SERVER_NAME>/server.xml for both teamserver.war and decisioncenter.war so that all authenticated users have the role rtsUser:
<!-- Business console -->
<application type="war" id="decisioncenter" name="decisioncenter" location="${server.config.dir}/apps/decisioncenter.war">
<application-bnd>
<security-role name="rtsAdministrator">
<group name="AdminGroup"/>
</security-role>
<security-role name="rtsInstaller">
<group name="InstallGroup"/>
</security-role>
<security-role name="rtsUser">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application> Users from the user registry are all authenticated to log in to both Decision Center consoles, and are authorized the features of a basic user.
Step 3: Declare a user to complete the Decision Center configuration
You must create a user to complete the configuration of Decision Center. This user must have the rights of both rtsAdministrator and rtsInstaller.
The following table indicates the roles required for a user to complete the configuration.
| Role | Use | Example group name, user/password combination |
|---|---|---|
| rtsAdministrator | Gives the user administrator access. | AdminGroup, rtsAdmin/rtsAdmin |
| rtsInstaller | Gives the user access to the Installation Settings Wizard in the Enterprise console, to complete the configuration. | InstallGroup, rtsAdmin/rtsAdmin |
- For a basic registry, add or replace <basicRegistry> as
follows:
<basicRegistry id="basic" realm="customRealm"> <user name="rtsAdmin" password="rtsAdmin"/> <group name="AdminGroup"> <member name="rtsAdmin"/> </group> <group name="InstallGroup"> <member name="rtsAdmin"/> </group> </basicRegistry> - For an LDAP:
<!-- Business console --> <application type="war" id="decisioncenter" name="decisioncenter" location="${server.config.dir}/apps/decisioncenter.war"> <application-bnd> <security-role name="rtsAdministrator"> <group name="AdminGroup"/> id="AdminGroup" access-id="group:MyRealm/CN=AdminGroup,ou=Groups,dc=example,dc=com"/> </security-role> <security-role name="rtsInstaller"> <group name="InstallGroup"/> id="InstallGroup" access-id="group:MyRealm/CN=InstallGroup,ou=Groups,dc=example,dc=com"/> </security-role> <security-role name="rtsUser"> <special-subject type="ALL_AUTHENTICATED_USERS" /> </security-role> </application-bnd> </application>