This series of Q&As and Pointers was the result of a client support engagement in which the user was using file based authentication in WebSphere Application Server (WAS) with RAM 7.5.2 and it was necessary to explain that if the user is not registered in RAM, that user cannot be searched for in RAM.
They were trying to follow RAM 7.5.2 KC topic:
- Adding new user groups and assigning roles
When a user is registered in RAM, RAM will add it into its database. For file based authentication, RAM only search database for user, if use
LDAP authentication, there will be a "search custom repository" checkbox in search UI, if user select this, RAM will also search LDAP repository
other than database.
The result was this series of Q&A(s) or Comments:
1.IBM RAM will be updating the Knowledge Center to say what users/admins can expect for file based authentication under
DOC APAR PI58517 - "RAM 752x Knowledge center Topic - Assigning repository administrators is not clear"
RAM 7,5,2,x topic:
- Assigning repository administrators
, is saying you can search for users within either the external registry or the list users that are registered with Rational Asset Manager, depending on whether an external registry is configured. It is kind of vague. This has to be changed to explicitly say what users/admins can expect for file based authentication?
2. When you search for a user in the RAM admin console, when adding a new user, should we see the name in the search results if it is in the
WAS Manage Users list? OR Do you have to first use RAM.SETUP to add any new users?
No! RAM won't show the names in the WAS managed users list , but in RAM's "internal" database for registered users. If you use a WAS federated repository, there is no way to add user in RAM.SETUP, only file system standalone - Custom User Registry can. More on this in 3. and 8. (below)
3.How can you add the email information in the RAM registry for already registered users?
The only way is on the RAM User profile page. We have stated in the RAM.SETUP web app that if you select Federated Repository , not all of the information can be populated into RAM.
RAM Server Setup webapp (RAM.SETUP) screen:
... (3) Users and Authentication
You must add the primary administrator of this user account repository
as a registered user and as an administrator.
Note: The server setup application cannot be used to make changes to
this repository, Also all users within the respository
must be able to login to Rational Asset Manager, but
their user profile in Rational Asset Manager will not be fully
populated from the information in the repository.
Configure File-based Authentication // as in custom user registry
"File-based Authentication is a simple ext
file that lists the users of
the repository. If you have an LDAP server available
for your company, you cabspecify LDAP as the authentication type on the
<introducton page> and continue through the server setup
See also step 7 in:
- Deploying and configuring application files by using the server setup application
- Configuring security by using the server setup application
"..If you chose to use a federated repository, the local operating system, or a custom user registry (other than file-based) in step 7.b,
you will be prompted to confirm that the user ID of the administrator for the user registry will be the repository administrator. There are no other configuration options for this type of authentication.
4.The article :
- IBM WebSphere Developer Technical Journal Expand your user registry
options with a federated repository in WebSphere Application Server V6.1
(24 January 2007)
, shows, Federated Repository can have many repositories: File based
(default), ldap, database or custom user registry
A4: In this user scenario it was explained they were using a Federated - File.
Just a note - If using LDAP, there can only be one LDAP in the federated repository otherwise RAM can not work.
5.Why is it necessary for a new user that is in the WAS repository, to register their user profile first, when they login as say "bob" into
RAM? Then the ramadmin can search on that user?
The WAS user repository can not be used just for RAM, it can be used by other applications. For example, the RTC and RAM servers/appliocations are using the same user repository on WAS. If the user just wants to add one user for RTC and not RAM, we would not want to search and find that user in RAM. So only the registered "user profile" RAM registry can be safely searched in RAM for users.
6. If you login as ramadmin, is it possible to change a user profile for another user?..or to register another user profile
No. RAM is not able to govern user information. The only way to register a user is to have the user click the register button. It is their profile! The user profile is there for the user to change as they please and to even choose if they want notifications and so forth.
7.Why does RAM not use the email from WAS?
A7: Same as A6 (above).