Configuring user authentication for MobileFirst Server administration

You configure user authentication and choose an authentication method. Then, the configuration procedure depends on the web application server that you use.

MobileFirst Server administration requires user authentication.
Important: If you use stand-alone WebSphere® Application Server full profile, use an authentication method other than the simple WebSphere authentication method (SWAM) in global security. You can use lightweight third-party authentication (LTPA). If you use SWAM, you might experience unexpected authentication failures.

You must configure authentication after the installer deploys the MobileFirst Server administration web applications in the web application server.

The MobileFirst Server administration has the following Java™ Platform, Enterprise Edition (Java EE) security roles defined:

You must map the roles to the corresponding sets of users. The mfpmonitor role can view data but cannot change any data. The following tables list MobileFirst roles and functions for production servers.

Table 1. Deployment
  Administrator Deployer Operator Monitor
Java EE security role. mfpadmin mfpdeployer mfpoperator mfpmonitor
Deploy an application. Yes Yes No No
Deploy an adapter. Yes Yes No No
Table 2. MobileFirst Server management
  Administrator Deployer Operator Monitor
Java EE security role. mfpadmin mfpdeployer mfpoperator mfpmonitor
Configure runtime settings. Yes Yes No No
Table 3. Application management
  Administrator Deployer Operator Monitor
Java EE security role. mfpadmin mfpdeployer mfpoperator mfpmonitor
Upload new MobileFirst application. Yes Yes No No
Remove MobileFirst application. Yes Yes No No
Upload new MobileFirst adapter. Yes Yes No No
Remove MobileFirst adapter. Yes Yes No No
Turn on or off application authenticity testing for an application. Yes Yes No No
Change properties on MobileFirst application status: Active, Active Notifying, and Disabled. Yes Yes Yes No

Basically, all roles can issue GET requests, the mfpadmin, mfpdeployer, and mfpmonitor roles can also issue POST and PUT requests, and the mfpadmin and mfpdeployer roles can also issue DELETE requests.

Table 4. Requests related to push notifications
  Administrator Deployer Operator Monitor
Java EE security role. mfpadmin mfpdeployer mfpoperator mfpmonitor
GET requests
  • Get a list of all the devices that use push notification for an application
  • Get the details of a specific device
  • Get the list of subscriptions
  • Get the subscription information that is associated with a subscription ID.
  • Get the details of a GCM configuration
  • Get the details of an APNS configuration
  • Get the list of tags that are defined for the application
  • Get details of a specific tag
Yes Yes Yes Yes
POST and PUT requests
  • Register an app with push notification
  • Update a push device registration
  • Create a subscription
  • Add or update a GCM configuration
  • Add or update an APNS configuration
  • Submit notifications to a device
  • Create or update a tag
Yes Yes Yes No
DELETE requests
  • Delete the registration of a device to push notification
  • Delete a subscription
  • Unsubscribe a device from a tag
  • Delete a GCM configuration
  • Delete an APNS configuration
  • Delete a tag
Yes Yes No No
Table 5. Disabling
  Administrator Deployer Operator Monitor
Java EE security role. mfpadmin mfpdeployer mfpoperator mfpmonitor
Disable the specific device, marking the state as lost or stolen so that access from any of the applications on that device is blocked. Yes Yes Yes No
Disable a specific application, marking the state as disabled so that access from the specific application on that device is blocked. Yes Yes Yes No

If you choose to use an authentication method through a user repository such as LDAP, you can configure the MobileFirst Server administration so that you can use users and groups with the user repository to define the Access Control List (ACL) of the MobileFirst Server administration. This procedure depends on the type and version of the web application server that you use.