Mapping users to RunAs roles
RunAs roles are used for delegation. A servlet or enterprise bean component uses the RunAs role to invoke another enterprise bean by impersonating that role. Before you perform this task:
- Complete secure the Webapp and secure enterprise bean applications where new roles were created and assigned to enterprise bean and Web resources
- Assign users and groups to roles. Complete this step during the installation of the application. The environment or user registry under which the application is going to run is not known until deployment. If you already know the environment in which the application is going to run and you know the user registry, then you can use the Application Assembly Tool (AAT) to assign users to RunAs roles.
- Open the application file by clicking File > Open; browse and select the application file.
- Click the application folder.
- Click the Bindings tab on the right-hand panel.
- Click Add under RunAs Bindings.
- Choose a role from the menu of the security role.
- Choose the User ID and Password and click OK. Make sure the user ID entered is part of the security role selected. If an All Authenticated special subject is assigned to the security role, you can use any valid user ID and password. If an Everyone special subject is assigned to Security Role, you do not need to map a user to that role.
- Repeat steps 4 through 6 for all the RunAs roles in the application.
- Click Apply when done.
Results
The ibm-application-bnd.xmi file in the application contains the user to RunAs role mapping table.
Usage scenario
This step alsois required to secure an application. This step is required when a servlet or an enterprise bean in an application is configured with RunAs settings.
What to do next
After securing an application using the AAT, you can install this application using the administrative console.
Enterprise bean component security
Role-based authorization
Delegations
RunAs roles to users mapping
Security: Links