Operations and Administration Console
Access to the Operations and Administration Console (OAC) requires both authentication and authorization. The OAC does not do authentication, only authorization. Authorization determines which pages, and which actions on those pages, a user is allowed to use.
Authorization
Authorization is done after a user is authenticated. Authorization determines which pages, and which actions on those pages, a user is allowed to use. You can configure authorization by using the roles and permissions that are provided by OAC. Permissions define what users with that role can do. Configure a role to contain a set of permissions, and then associate a user with that role.
The OAC provides a default set of roles and users that you can either modify or replace to meet your authorization requirements. For example, you might need a general role for your remediation users and a general role for your operations users.
For more information about configuring roles and permissions, see the topics under Additional information.
Users
When the OAC is installed, a default set of user IDs for the various user interface components is provided. The default user IDs are also associated to the default roles. You probably need to modify the default set of user IDs supplied with the OAC to match your own requirements and users.
Administrator user IDs are not needed to run the components. Ensure that only user IDs with limited access are used.
Web browser
The OAC user interface is displayed within a browser session that communicates with the application that is deployed in WebSphere® Application Server. When a user logs in to the OAC, they get a session identifier that maintains the state while the user is logged in. Ensure that the browser sessions are secure.
Some of the request URLs can include query parameters, such as IDs. Any server that receives the request can log the information from these query parameters. If you do not want this information to be logged, ensure that all the servers that receive the request are configured to suppress the logging of URL query parameters. For example, see the NCSA access log setting information in the WebSphere Application Server documentation.
For more information about OAC security and the browser, see the topics under Additional information.
Additional information
The following topics contain more information about OAC security.