Managing CONSOLE mode security

Use console security to ensure that only authorized user IDs can access the Rule Execution Server console.

Before you begin

Before you define the EJBROLE values, you must set up some additional Liberty security. For more information, see the Authenticating a user section in Liberty profile: Accessing z/OS® security resources using WZSSAD.

About this task

Console security controls the ability to sign in to the Rule Execution Server console. If console security is enabled, users must enter a user ID and password to sign in. If the HBRADMIN class includes the following resource profile, console security for the server instance is disabled: 
<HBRSSID_NAME>.NO.SUBSYS.SECURITY
Note: When security is disabled for the zRule Execution Server for z/OS in CONSOLE mode, the default user name and passwords are used. For instance, resAdmin/resAdmin.

To manage console security for a single server, set <HBRSSID_NAME> to a subsystem ID in the server group that is running in CONSOLE mode. To manage console security for multiple servers or for the entire server group, specify a wildcard as the subsystem ID.

Note: In some cases, you might want to disable console security but maintain the other types of security. For more information, see Disabling types of security.

The following table lists the profiles and the roles they represent. The roles are defined in the EJBROLE class so that the embedded WebSphere® Liberty profile server can access them. A user can be assigned to multiple roles.

Resource profile Role description
<HBRSSID_NAME>.res.resMonitors Users with monitoring rights are allowed to view and explore RuleApps, rulesets, decision services, execution units, and statistics. They can also select a trace configuration and view and filter trace information in Decision Warehouse (applies only to Rule Execution Server on WebSphere Application Server for z/OS).
<HBRSSID_NAME>.res.resDeployers Users with deploying rights are allowed to deploy RuleApp archives and to edit and remove entities (RuleApps, rulesets, decision services, Java™ Execution Object Model (XOM) resources and libraries), and run diagnostics.
<HBRSSID_NAME>.res.resAdministrators Users with administrator rights have full control over the deployed resources and access to information on the server. They can carry out the following actions:
  • Deploy, browse, and modify RuleApps, Java XOM resources, and libraries.
  • Monitor the decision history, purge, and back up the history.
  • Select a trace configuration, view and filter trace information, and clear trace information in Decision Warehouse.
  • Run diagnostics and view server information.

Procedure

  1. Define each resource profile that is shown in the previous table to the EJBROLE class by using the following command: 
    RDEFINE EJBROLE <RESOURCE_PROFILE> UACC(NONE)
  2. Refresh the EJBROLE class by using the following command: 
    SETROPTS RACLIST(EJBROLE) REFRESH
  3. Add each user ID to one or more of the resource profiles by using the following command: 
    PERMIT <RESOURCE_PROFILE> CLASS(EJBROLE) ID(<USER_ID>) ACCESS(READ)
  4. Refresh the EJBROLE class again by using the following command: 
    SETROPTS RACLIST(EJBROLE) REFRESH