The FTM.Role.Logon security role, user groups, and authorization
The FTM.Role.Logon
role is the only security role for the Operations and Administration Console (OAC). Mapping this role to one or more user groups provides basic login access
to the OAC.
You can then provide user groups with various levels of access to the resources or views within the
FTM
OAC. OAC fine-grained authorization is controlled by
assigning permissions to user groups. That is, you must define which user group is allowed to do which actions
on which resources for a particular application. You can choose one of the following models:
- Single-group membership
- Each user is a member of exactly one group, and you define a set of permissions for that group.
This model means that you must define many groups and many permission sets if you have many users with different authorizations. Moreover, you must map many groups to the role
FTM.Role.Logon
in WebSphere® Application Server. - Multiple-group membership
- A user is a member of multiple groups, and you define granular subsets of permissions for each of these
groups.
In this model, you have a few permission sets and you manage OAC security by assigning users to all the groups that they need. Specifically, you can have only one basic user group that must be mapped to the role
FTM.Role.Logon
in WebSphere Application Server.
The choice between a single and a multiple group model depends on your security policy. FTM
OAC security worked examples shows how to implement these models in the
following scenarios:
- Single application scenario, where FTM has only one application.
- Multiple applications scenario, where FTM has several applications.
For a multiple applications scenario, you can either:
- Define a user group with permissions that span several applications.
- Create separate groups, or sets of groups, for each application individually.