Controlling user access to collections through WebSphere Application Server

To control which users can access collections through your enterprise search application or the content analytics miner, you must associate user or user groups with the application by using access control features of your web application server.

About this task

If you use WebSphere Application Server, you can use this procedure to control which users access specific collections.

Procedure

To configure user access controls for a collection through WebSphere Application Server:

  1. Associate application IDs with the collections they can access.
  2. Add role names for the application ID to the web.xml file:
    1. Back up the application EAR file and then extract the EAR file as a ZIP file.
      For an enterprise search application, the file is ES_NODE_ROOT/bin/search.ear. For the content analytics miner, the file is ES_NODE_ROOT/bin/analytics.ear.
    2. Extract the search.war file as a ZIP file.
    3. At the bottom of web.xml file in the extracted application folder (such as search.ear/search.war/search/WEB-INF/web.xml), locate the <security-role> entries.
    4. Add roles corresponding to all of your application ID entries to the search/web.xml file.
      A role name must be APPID_ROLE__{AppID}, where AppID is an existing application ID. For example, if the application ID is AppCol1, the role name is APPID_ROLE__AppCol1. You can check the application IDs by looking at the ES_NODE_ROOT/master_config/searchapp/appid_mapping.xml file.
    5. Add role name entries corresponding to your application IDs, and then save the web.xml file.
      For example:
      <security-role>
<role-name>APPID_ROLE__AppCol1</role-name>
</security-role>
<security-role>
<role-name>APPID_ROLE__AppCol2</role-name>
</security-role>
    6. Compress all files under the search folder with all file selections and rename the file as search.war.
    7. Compress META-INF and the search.war file, and rename the output as search.ear.
      The compressed folder structure must be same as the original EAR file.
  3. Update the application through the WebSphere Application Server administration console:
    1. Open the WebSphere Application Server administration console, select the application, and click Update in Applications > Application Types > WebSphere enterprise applications.
    2. Specify the new EAR file with the option Replace the entire application.
    3. Click Next and then click Finish.
      After the configuration is saved, you can confirm that the roles were successfully added by clicking the link View Deployment Descriptor in the deployed application menu (Applications > Application Types > WebSphere enterprise applications).
  4. Map users to a specific application ID:
    1. Click the link Security role to user/group mapping in the deployed application menu (Applications > Application Types > WebSphere enterprise applications).
    2. Select roles, including REGISTERED_USER and a newly added APPID role such as APPID_ROLE__AppCol1, and other roles as needed.
      The user that you map must also have the AllAuthenticated role.
    3. Click the menu Map users, select the users to be mapped, click OK, and then save the configuration.
    4. Log in to the enterprise search application (or content analytics miner) as the mapped user.
  5. Restart the Watson Explorer Content Analytics system:
    esadmin system stopall
    esadmin system startall