Enabling application groups

Application groups is a concept that allows you to define user groups within the database user registry with members (users or groups) contained in the federated LDAP user registry you configured. The benefit of application groups is that you can create Groups that are only used in IBM® WebSphere® Portal.

Before you begin

Run the wp-create-db task to add all required federated database user registries and run the wp-create-ldap task to add all required federated LDAP user registries to meet your business requirements before enabling application groups.Add all required federated database user registries and federated LDAP user registries to meet your business requirements before enabling application groups. You must also set the Group entity type to the database user registry and the Person entity type to the LDAP user registry.

Before you complete this task, you might want to view and print the appropriate worksheet. See WebSphere Portal Enable for zOS worksheets.

About this task

You can use application groups in the following scenarios:
Read-only LDAP
If you have a read-only LDAP, you cannot change the group membership of users and groups. If you need to define access rights for certain users that are in different groups, you can create an Application group for these users with the required access rights.
Special group setup for WebSphere Portal
In this scenario you need to setup a special group hierarchy that is only used by WebSphere Portal and not by other applications that access your LDAP server. This can help you apply special access control rules just for WebSphere Portal because the roles assigned to the Application Group also apply to all of its members.
Note: Application groups only apply to WebSphere Portal; it does not apply to external security managers. Also, application groups are not supported when using the a built-in file repository.

Perform the following steps to enable application groups:

Procedure

  1. Run the following task to enable application groups:
    Table 1. Task to enable application groups by operating system
    Operating system Task
    AIX® ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    IBM i ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Linux ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Solaris ./ConfigEngine.sh wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root/ConfigEngine directory
    Windows ConfigEngine.bat wp-update-group-repository-relationship -DWasPassword=password -Drepository.id=ldapid -Drepository.forgroups=dbid from the wp_profile_root\ConfigEngine directory
    z/OS® Complete the following steps:
    1. Start the WebSphere Portal Customization dialog.
    2. From the Portal configuration panel, select Advanced configuration tasks.
    3. Select Security configuration tasks.
    4. Select Advanced security tasks.
    5. Select Miscellaneous tasks.
    6. Select Enabling application groups.
    7. Select Define variables.
      Reminder: Press F1 to display the help panel if you need assistance defining the variables.
    8. Generate the customization jobs.
    9. Follow the Customization Dialog instructions for submitting the customization jobs.
    where ldapid is the value specified in federated.ldap.id when running the wp-create-ldap task and where dbid is the value specified in federated.db.id when running the wp-create-db task.
  2. Stop and restart the WebSphere_Portal server.