The FTM.Role.Logon security role, user groups, and authorization
The FTM.Role.Logon role is the only security role for the Operations and Administration
Console (OAC). Mapping this role to one or more user groups provides basic login access
to the OAC.
- Single-group membership
- Each user is a member of exactly one group, and you define a set of permissions for that group.
This model means that you must define many groups and many permission sets if you have many users with different authorizations. Moreover, you must map many groups to the role
FTM.Role.Logonin IBM® WebSphere® Liberty. - Multiple-group membership
- A user is a member of multiple groups, and you define granular subsets of permissions for each of these
groups.
In this model, you have a few permission sets and you manage OAC security by assigning users to all the groups that they need. Specifically, you can have only one basic user group that must be mapped to the role
FTM.Role.Logonin IBM WebSphere Liberty.
- Single application scenario, where FTM has only one application.
- Multiple applications scenario, where FTM has several applications.
- Define a user group with permissions that span several applications.
- Create separate groups, or sets of groups, for each application individually.
Preconfigured security roles and user groups
FTM is preconfigured with application security roles and user ID assignment. You need to customize this configuration for your own user IDs and roles.
FTM.Role.Logon. <application id="OAC" location="FTM.ear" name="FTM">
<classloader apiTypeVisibility="spec, ibm-api, api, spi, third-party" commonLibraryRef="DB2JCCLib, UserExit">
<privateLibrary apiTypeVisibility="spec, ibm-api, api, spi, third-party">
<fileset dir="/opt/ibm/wlp/dependencies" includes="*.jar"/>
</privateLibrary>
</classloader>
<application-bnd id="OAC-BND">
<security-role id="OAC-SR" name="FTM.Role.Logon">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
</application-bnd>
</application>