The FTM.Role.Logon security role, user groups and authorization

The FTM.Role.Logon role is the only security role for the OAC and mapping this to a user group or groups provides basic login access to the OAC.

You can then provide user groups with various levels of access to the resources or views within the FTM OAC. OAC fine grained authorization is controlled by assigning permissions to user groups. That is, you must define which user group is allowed to perform which actions on which resources for a particular application. You can choose one of following models:

Single group membership: Each user is member of exactly one group, and you define a set of permissions for that group.
This means that you must define many groups and many permission sets if you have many users with different authorizations. Moreover, you must map many groups to role FTM.Role.Logon in the WebSphere® Application Server Integrated Solutions Console.
Multiple group membership: A user is member of multiple groups, and you define granular subsets of permissions for each of these groups.
Thus you have a small number of permission sets, and you manage OAC security by assigning users to all of the required groups. Especially, you can have only one basic user group that must be mapped to role FTM.Role.Logon in the WebSphere Application Server Integrated Solutions Console.

The choice between a single and a multiple group model depends on your security policy. FTM OAC security worked examples shows how to implement these models in both of following scenarios:

Single application scenario where FTM has only one application.
Multiple applications scenario where FTM has several applications.

For a multiple applications scenario, you can either:

Define a user group with permissions spanning several applications.
Create separate groups, or sets of groups, for each application individually.