Mapping users and groups to application security roles

Use the madconfig targets map_user_group_to_role or map_user_group_to_role_all_apps to map users and groups to InfoSphere® MDM application security roles and their associated User RunAs roles.

About this task

InfoSphere MDM applications declare several security roles. These roles are managed through WebSphere® Application Server. The applications and associated security roles are as follows:

MDM-operational-server-EBA
The MDM-operational-server-EBA application has the following roles:
  • ServiceProvider, with associated User RunAs roles
  • ServiceConsumer, with associated User RunAs roles
All authenticated users are declared as special subjects.
MDM-web-services
The MDM-web-services application has the following roles:
  • ServiceProvider, with associated User RunAs roles
  • ServiceConsumer
MDM-old-web-services
The MDM-old-web-services application has the following roles:
  • ServiceProvider, with associated User RunAs roles
  • ServiceConsumer
Business Administration UI
Associated roles:
  • SuperRole
  • SystemAdministrator
Note: For the MDM-operational-server-EBA and MDM-old-webservices applications, the initial InfoSphere MDM configuration sets the default MDM administrative user (mdmadmin) as the ServiceConsumer and ServiceProvider. The mdmadmin user is also set as the default User RunAs roles To Users for these two applications.

Procedure

  1. Navigate to the MDM_INSTALL_HOME/mds/scripts folder.
  2. Run the map_user_group_to_role madconfig target:
    • On Microsoft Windows operating systems, use the command 
      madconfig map_user_group_to_role
    • On Linux® or UNIX based operating systems, use the command
      ./madconfig.sh map_user_group_to_role
    Tip: As an alternative to the map_user_group_to_role target, you can use the madconfig target map_user_group_to_role_all_apps to map specific users or groups to all InfoSphere MDM application security roles. The map_user_group_to_role_all_apps target sets a value of None for any special subjects within the roles.
  3. Provide the values that the utility prompts you for:
    • WebSphere Application Server profile administrator details:
      • host
      • port
      • user name
      • password
      • Trust file path
      • Trust file password
    • Application name and security role that you wish to map
    • User name
      Note: To map the security role for more than one user at a time, separate the user names with a pipe symbol |.
    • User password
      Note: When mapping the security role for more than one user at a time, also separate the passwords with a pipe symbol |. Ensure that the passwords are in the correct order to correspond with the user names.
    • Group name
      Note: To map the security role for more than one user group at a time, separate the group names with a pipe symbol |.
    After you provide all of the required information, the madconfig utility performs the mapping accordingly.
  4. The madconfig targets cannot update the virtual MDM web applications. If your deployment uses the Inspector, Web Reports, or Enterprise Viewer applications, then you must manually add the new security user to the mpi_usrhead table. Otherwise, the user will be unable to log in to those applications.
  5. Log in to the WebSphere Application Server Integrated Solutions Console (admin console).
  6. Restart any application for which you have changed the security roles.