Assign users and groups to roles

We can assign users and groups to roles if we are using WebSphere Application Server authorization for Java EE roles.

If we are using System Authorization Facility (SAF) authorization for Java2 EE (J2EE) roles, refer to SAF for role-based authorization.

Before performing this task:

• Secure web and EJB applications

• Create all the roles in the application.

• Configure the user registry containing the users to assign.

  It is preferable to have security turned on with our user registry before beginning this process.

• If we change anything in the security configuration, for example, enabling security or changing the user registry, save the configuration and restart the server.

These steps are common for both installing an application and modifying an existing application. If the application contains roles, we see the Security role to user/group mapping link during application installation and also during application management, as a link in the Additional properties section.

Assign users and groups to roles

1. Access the administrative console.
   http://localhost:port_number/ibm/console

2. Click...
   Applications > Application Types > WebSphere enterprise applications > application_name > Detail properties > Security role to user/group mapping

   A list of all the roles that belong to this application is displayed. If the roles already have users, or if one of the special subjects, AllAuthenticatedUsers, AllAuthenticatedInTrustedRealms, or Everyone is assigned, they display here.

3. To assign the special subjects, select either the Everyone or the All Authenticated in Application's Realm option for the appropriate roles.

4. To assign users or groups, select the role. We can select multiple roles at the same time, if the same users or groups are assigned to all the roles.

5. Click Look up users or Look up groups.

6. We can search for appropriate users and groups from the user registry or we can add a user/group role mapping and not perform the search. You activate either of these options by clicking Search. See the next steps for the appropriate option you require.

7. Get the appropriate users and groups from the user registry

   Complete the Limit and the Search string fields by clicking Search. The Limit field limits the number of users obtained and displayed from the user registry. The pattern is a searchable pattern matching one or more users and groups. For example, user* lists users like user1, user2. A pattern of asterisk (*) indicates all users or groups.

   Use the limit and the search strings cautiously so as not to overwhelm the user registry. When we use large user registries such as LDAP where information on thousands of users and groups resides, a search for a large number of users or groups can make the system slow and can make it fail. When more entries exist than requests for entries, a message is displayed. We can refine your search until we have the required list.

   If the search string we are using has no matches, a NULL error message is displayed. This message is informational and does not necessarily indicate an error, as it is valid to have no entries matching your selected criteria.

8. Add a user/group role mapping

   Click Search. Add IdP realms to the list of inbound trusted realms. For each Identity provider used with our WAS service provider, grant inbound trust to all the realms used by the identity provider.

   1. Click Trusted authentication realms - inbound.
   2. Click Add External Realm.
   3. Fill in the external realm name.
   4. Click OK and Save changes to the master configuration. Skip remaining steps.

9. Select the users and groups to include as members of these roles from the Available field and click >> to add them to the roles.

10. To remove existing users and groups, select them from the Selected field and click <<. Use caution if those same roles are used as RunAs roles.

    For example, if the user1 user is assigned to the role1 RunAs role and we try to remove the user1 user from the role1 role, the administrative console validation does not delete the user. A user can only be part of a RunAs role if the user is already in a role either directly or indirectly through a group. In this case, the user1 user is in the role1 role.

11. Click OK. If any validation problems exist between the role assignments and the RunAs role assignments, the changes are not committed and an error message that indicates the problem is displayed. If a problem exists, make sure that the user in the RunAs role is also a member of the regular role. If the regular role contains a group containing the user in the RunAs role, make sure that the group is assigned to the role using the administrative console. Follow steps 4 and 5. Avoid using any process where the complete name of the group, host name, group name, or distinguished name (DN) is not used.

The user and group information is added to the binding file in the application. This information is used later for authorization purposes.

If we change the realm, repeat this process with the new realm name.

What to do next

This task is required to assign users and groups to roles, which enables the correct users and groups to access a secured application. If we are installing an application, complete the installation. After the application is installed and running we can access your resources according to the user and group mapping that we did in this task. If we manage applications and modify the users and groups to role mapping, make sure you save, stop, and restart the application so that the changes become effective. Try accessing the Java EE resources in the application to verify that the changes are effective.

Depending upon how your active user registry is configured, the search results of security user or group role mappings are displayed in different formats. With federated repository, LDAP, file-based and custom registries can be used. WAS can uniquely identify users from various registries by the user names listed in the table.

Attention: In a distributed environment, when we install WAS with samples, enable security using federated repositories, and start the server1 server with sample applications, the server might create exceptions. However, the server starts successfully. The deployment manager did not create user and group samples when it created the deployment manager profile. To resolve exceptions caused by the samples failing to load, create our own sample users and groups. In the administrative console, do the following:

1. Click Users and Groups > Manage Users.

2. Create the samples user and the sampadmn group. The samples user is a member of the sampadmn group.

For more assistance, refer to the "Managing users" help topic by clicking More information about this page on the Manage Users pane.

Subtopics

• Administrative roles
  
• Security role to user or group mapping
  
• Look up users
  
• Assigning users to RunAs roles
  
• Role-based authorization
  
• Add users and groups to roles using an assembly tool
  

Secure applications during assembly and deployment

Enable security