The FTM.Role.Logon security role, user groups, and authorization

The FTM.Role.Logon role is the only security role for the Operations and Administration Console (OAC). Mapping this role to one or more user groups provides basic login access to the OAC.

You can then provide user groups with various levels of access to the resources or views within the FTM OAC. OAC fine-grained authorization is controlled by assigning permissions to user groups. That is, you must define which user group is allowed to do which actions on which resources for a particular application. You can choose one of the following models:
Single-group membership
Each user is a member of exactly one group, and you define a set of permissions for that group.

This model means that you must define many groups and many permission sets if you have many users with different authorizations. Moreover, you must map many groups to the role FTM.Role.Logon in WebSphere® Application Server.

Multiple-group membership
A user is a member of multiple groups, and you define granular subsets of permissions for each of these groups.

In this model, you have a few permission sets and you manage OAC security by assigning users to all the groups that they need. Specifically, you can have only one basic user group that must be mapped to the role FTM.Role.Logon in WebSphere Application Server.

The choice between a single and a multiple group model depends on your security policy. FTM OAC security worked examples shows how to implement these models in the following scenarios:
  • Single application scenario, where FTM has only one application.
  • Multiple applications scenario, where FTM has several applications.
For a multiple applications scenario, you can either:
  • Define a user group with permissions that span several applications.
  • Create separate groups, or sets of groups, for each application individually.