What version of WebSphere Application Server is being used?

What is in the "Installed Product" section of the "versionInfo" command script output?

- On Windows systems, execute the versionInfo.bat command script, e.g.,
  > D:\IBM\WebSphere\AppServer\bin\versionInfo

- On *ix systems, execute the versionInfo.sh command script, e.g.,
  # /opt/IBM/WebSphere/AppServer/bin/versionInfo.sh

- What is output when you execute the following wsadmin script?

1. Copy the following to "listUsers.py" in some known location (e.g., C:\temp)

try :
    print AdminTask.listUsersForNamingRoles()
except :
    print "Error: AdminTask.listUsersForNamingRoles() doesn't appear to be available."

Select allOpen in new window

2. Execute the script using the wsadmin command utility.

  - On Windows systems, the command should look like:

    # D:\IBM\WebSphere\AppServer\bin\wsadmin -conntype none -f C:\temp\listUsers.py

  - On *ix systems, the command should look like:

    # /opt/IBM/WebSphere/AppServer/bin/wsadmin.sh -conntype none -f /temp/listUsers.py

What is output?

Well I am using WAS 8.0, why do I need to run the script that you gave?. Is n't this information stored in some properties file like the security.xml. I already configured the websphere to use LDAP and defined the configurator and operator roles from the websphere console.

> Well I am using WAS 8.0

  Excellent.

  Since you are using 8.0, that helps me to know more about what might be available for you to use.

> why do I need to run the script that you gave?

  It helps me to understand your environment better.

  Currently, I don't have that kind of role configured, and I wanted to work with you to help you get an answer to your question.

> Isn't this information stored in some properties file like the security.xml.

  Maybe.  Since, as I indicated, I don't have or use roles in my test environment, I don't have the quick and easy answer to that question.  But, I'm willing to work with you to not only get the answer, but also learn something at the same time.

  Does that make sense?

IT does, but I Wanted to see where these values are usually saved. If WAS 8 is an issue you can tell me replica in WAS 6.1 or WAS 7.0.

Well, if you want to find it quickly, I would search your XML files in the WebSphere directory structure for occurrences of a "unique to your environment" role name (i.e., not something that might occur in a number of places).

On the other hand, we could word together to see how to do it with wsadmin scripts if that is what you would like to do.

The way that I interpreted your question lead me to believe that you wanted to figure out how to manipulate different roles in your environment using scripting.

Ok lets cut down to the main issue, I configured a group to have the operator role in websphere. The user can login to the console but cannot perform the operator's function like start/stop servers. What might be preventing this. Are the roles not properly defined in LDAP or is there something I am missing on the websphere side?

FYI here is the output I got after executing the script

WASX7357I: By request, this scripting client is not connected to any server process. Certain configuration and application operations will be available in local mode.
{CosNamingWrite=[], CosNamingDelete=[], CosNamingCreate=[], CosNamingRead=[]}

The "WASX7357I" message is expected, and occurs because a connection was not made to an active Application Server (or Deployment Manager).

This is the result of "-conntype none" on the command line.

The output, i.e.,

{CosNamingWrite=[], CosNamingDelete=[], CosNamingCreate=[], CosNamingRead=[]}

Select allOpen in new window

is identical to what I have in my environment which is not configured to use LDAP.

So, the next question is:

What, exactly, do you mean when you say:

> The user can login to the console but cannot perform the operator's function like start/stop servers.

No authentication / authorization is performed during starting of a server.  So, I don't have to have any role to execute the following commands:

startManager
startNode
startServer

It is only during the stopping that the authentication / authorization is performed and verified.

From the Admin Console, if we select "Users and Groups" -> "Administrative user roles", the corresponding wsadmin commands that are issued to list the users shown here are:

AdminTask.listUserIDsOfAuthorizationGroup()
AdminTask.listAuditUserIDsOfAuthorizationGroup()

Select allOpen in new window

The next question is:

What exactly are you doing that should be using the appropriate role, and how is it failing?

I would expect you to be doing something like:

stopServer server1 -profileName AppSrv01

or, on *ix:

./stopServer.sh server1 -profileName AppSrv01

With security enabled, I would expect a dialog box to be displayed, prompting you for the userid & password to be used.

Is this what is happening?

How is it failing?

What messages are being displayed?

A really valuable document is "WebSphere Application Server V7.0 Security Guide"
http://www.redbooks.ibm.com/redbooks/pdfs/sg247660.pdf 

My apologies, there are no app servers a user with config role is trying to create an app server and cannot do it

Ah!  That makes sense.

I presume that you do have a Deployment Manager though.

Right?

Are you trying to create a stand-alone AppServer, or a federated one?

Creating cell profiles
  http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.installation.nd.doc%2Finfo%2Fae%2Fae%2Ftpro_instancescell.html&resultof=%22profile%22%20%22profil%22%20%22creation%22

Creating application server profiles
  http://publib.boulder.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.installation.nd.doc%2Finfo%2Fae%2Fae%2Ftpro_instancessaappserv.html

I am trying to create an application server in a federated node.

I am aware of the procedures you described.

ok, how can I help?

If a user has config access why is the user not able to acreate an appserver and where this information will be logged?

Additionally it would be great f you could tell me what file stores the information pertaining to the roles under "administratve group roles"  inside the administrative consle.

Does that make sense?

For me, this means that the file is stored in a file (something like):

C:\IBM\WebSphere\AppServer\profiles\Dmgr01\config\cells\myCell01\admin-authz.html

Thanks for the grade & points.

Good luck & have a great day.