This exercise is about for the following scenario:
Dmgr and One node with 2 application server.
Each application server contains it owns application.
Application server name as follows
server1 contains app1
server2 contains app1
1) You need to setup websphere global security with LDAP registry or Federated repository
2) You need to create two users on LDAP ( for example user1 and user2)
Requirement: WAS 7.0 and LDAP or you can also use federated repository ( file based repository comes as a default security with WAS7.0)
The objective of this article is access for one user for a particular application server with in cell but limiting their access to other application server and applications. This article helps where you have application owner want to maintain their own app.
This can achieve this by configuring through the use of Administrative Authorization Groups. These groups map specific scopes or objects to console users and roles, thus allowing those users that role access to those specific objects.
Steps for configuring Fine Grained Adminstrative Security via Administrative Authorization Groups
1. In the administrative console, under Users and Groups, click Administrative user roles.
2. Under Roles, scroll down and select Monitor
3. Click on the Search button it display all users from our LDAP
4. Select user1 and user2. Click the right arrow to move them to the Mapped to role list.
5. In the administrative console, click Administrative authorization groups under Security
6. Click New to create a new Administrative authorization group
7. Enter User1ROLE Under Resources select all scope and Expand all of the entries and the
sub-entries Under Business-level Applications and applications select the APP1
8. (Under Nodes) Expand your node -- select server1
9. Save the change and sync the node with dmgr.
10. In the administrative console, click Administrative authorization groups > Administrative user roles
11. Click Add to map the console user to the administrative authorization group.
Select the Administrator Role, then click Search button it display all user from our LDAP
12. Select user1 click the right arrow to move them to the Mapped to role list
13. Save the change and sync the node with dmgr.
14. Repeat step6 to step 11 for user2ROLE ( make sure select APP2 and Server2)
15. Select user2 click the right arrow to move them to the Mapped to role list
16. Login as user1 and user2. Once logged in, browse through various parts of the console.
Notice that the user1 and user2 users has monitor rights to most areas.
For example Expand Applications > Application Types > Enterpise applications to verify that user user1 only has administrative authority on the APP1