Security role to user or group mapping

Use this page to specify the users and groups that are mapped to the security roles that are used with the enterprise application.

[z/OS]Avoid trouble: If you are using System Authorization Facility (SAF) authorization for Java EE roles, refer to System Authorization Facility for role-based authorization for more information.

To view this administrative console page, click Applications > Application types > WebSphere enterprise applications > application_name. Under Detail Properties, click Security role to user/group mapping.

Table 1. User and group mapping. User and group mapping.
Button Resulting action
Map Users Lists the users that are mapped to the specified role within this application.

If trusted realms are configured, a drop-down list of realms to search is displayed. Users from the non-default realm are displayed as user@realm

Map Groups Lists the groups that are mapped to this specified role within this application.

If trusted realms are configured, a drop-down list of realms to search is displayed. Users from the non-default realm are displayed as user@realm

Map Special Subjects This choice appears if multiple realms are being used. It enables you to map any of the following Special Subjects to a selected role:
  • All authenticated in application realm: All authenticated users that are in the applications realm, which specifies whether to map all of the authenticated users to a specified role. When you map all authenticated users to a specified role, all of the valid users in the current registry who have been authenticated can access resources that are protected by this role.

    This selection also applies to all authenticated users regardless of the realm.

  • All authenticated in Trusted realm: All authenticated users that are in any of the trusted realms are mapped to the specified role. This configuration applies when users are authenticated with an external identity provider and these users need to be trusted by WebSphere® Application Server. When you map all authenticated users in a Trusted realm to a specified role, all of the valid users from the identity provider who have been authenticated with the provider can access resources that are protected by this role.

    You can view the trusted realms in the administrative console by clicking Security > Global security > RMI/IIOP > CSIv2 inbound communications > Trusted authentication realms - inbound. When users are from the non-default realm, the principal name in the Subject is user@realm.

  • Everyone: map everyone to the selected role. When you map everyone to a role, anyone can access the resources that are protected by this role and, essentially, there is no security.
  • None: Do not map anyone to the selected role
Attention:
  • If the secured realm cannot be reached, the list is replaced with 3 text fields (that is, name, realm, and uid). You can add the user when the secured realm is not available.

    It is not possible to map two subjects to the same role in this release of WebSphere Application Server.

Note: If any value is modified on this page, all of the metadata files related to the application are refreshed in the configuration repository.

Role

Lists the specific capabilities to a user. Role privileges give users and groups permission to run as specified.

For example, you might map the user Joe to the administrator role, which enables user Joe to perform all of the tasks associated with the administrator role.

The authorization policy is only enforced when global security is enabled.

Mapped users

Lists the users that are mapped to the specified role within this application.

Special subjects

Lists which special subjects are mapped to the security role when an application uses multiple realms.