Network Deployment (Distributed operating systems), v8.0 > Set up the application serving environment > Administer nodes and resources > Administer nodes remotely using the job manager


Job manager security

In a flexible management environment, a user ID must have the required authorization to use the job manager and to work with registered nodes.


Required security roles

You need the following roles to use the job manager:

Required security roles for job manager tasks. Roles include administrator, operator, configurator, and monitor.

Administrative tasks Required security roles
Register or unregister with the job manager administrator
Submit a job operator
Change the job manager configuration configurator
Read the job manager configuration or job history monitor

If base (stand-alone) application server nodes that are managed by an admin agent are registered to a job manager, you need the following roles to use the admin agent and manage its nodes:

Required security roles for admin agent tasks. Roles include administrator and roles required for the operation or node.

Administrative tasks Required security roles
Register or unregister a base (stand-alone) node with the admin agent administrator
Work with the admin agent: Administrative roles required for the operation being performed
Work with the administrative subsystem, such as registered nodes Administrative roles required for the registered base node

When a job runs on a target, the user must have privileges that include the role required for that job. For example, a job to create an application server requires a minimum configurator role on either the base node or WAS ND cell.


Basic security configuration

The admin agent and job manager support two different basic security configurations:

For the admin agent topology, when a user logs in to the JMX connector port of an administrative subsystem, or chooses the registered node from the administrative console, the authorization table for the base node is used.

For example, suppose User1 is authorized as administrator for the first base node, but is not authorized for the second node. User2 is authorized as configurator for the second node, but is not authorized for the first node. The Same user registry figure illustrates this example:

Further suppose User1 can log in to job manager as an operator with a user name and password. User1 can also log in to the dmgr as a monitor with a user name and password. The Different user registry figure illustrates this example:

Although User1 has the same user name for both the job manager and the dmgr, User1 might as likely have different user names and passwords.


Transfer of security information

When the product transfers a job from the job manager to the admin agent, dmgr or host computer, the product also transfers security information about the job submitter. This transfer authenticates and authorizes the user while running the job. The following user security information might be passed with a submitted job:


Mixed registries configuration

In a more complex topology, where some cells share the same user registry and some cell do not, the following rules apply:


Job manager
Administrative agent
Administrative roles
Administer nodes remotely using the job manager
Administer jobs in a flexible management environment using wsadmin.sh
Administer nodes and resources
Task overview: Securing resources

+

Search Tips   |   Advanced Search