User profile requirements to use the Web Administration for i interface
By default, only users with *ALLOBJ
and *IOSYSCFG
special
authorities can manage and create Web-related servers on the system
through the use of the IBM® Web
Administration for i interface.
Web-related servers include instances of IBM HTTP Server, WebSphere
Application Server, Integrated Application Server, and Integrated
Web Services Server. A user without the necessary IBM i special authorities
to manage or create Web-related servers requires an administrator
to grant that user permission to a server or group of servers.
To be able to access the Web Administration for i interface, the IBM i user profile used to sign on must meet at least one of the following conditions:
- The user profile has
*ALLOBJ
and*IOSYSCFG
special authorities. - The user profile has been granted permission to an entire class of servers, or a specific server.
- The user profile has been granted permission to create servers.
For example, if a user wants to create an HTTP server using the Web Administration for i interface, the user profile must either have *ALLOBJ and *IOSYSCFG special authorities, or have permission to create HTTP servers.
*ALLOBJ
and *IOSYSCFG
special
authority are allowed to grant, revoke, or manage user permissions.
The granting of permissions to a user profile is done through the Web Administration for i interface by giving
user profiles that need to access the Web Administration for i interface roles to specific servers
or a class of servers. *ALLOBJ
authority
to a user profile or using the QSECOFR
user profile
to access the Web Administration for i interface
is not recommended.Roles
Roles define a set of permissions that define what operations a user is allowed to perform on a server. The Web Administration for i interface defines the following roles:
- Administrator
- Any IBM i user
profile with
*ALLOBJ
and*IOSYSCFG
special authority is identified with the role of Administrator. An Administrator has unrestricted use of every feature in the Web Administration for i interface, including the ability to manage user permissions. An Administrator cannot be assigned any other role.Note: A user profile cannot be assigned this role. - Developer
- Is allowed to view and modify a server, including the ability to delete a server. A Developer can use Web Performance Monitor and Web Performance Advisor, but cannot change system-wide settings, such as memory pool allocations.
- Operator
- Is allowed to view a server, including the capability to start and stop a server. In addition, an Operator is allowed to modify trace settings for a server.
If a user with a role of Developer or Operator has no role assigned to them for a server, they are not allowed to view the server or any of its attributes.
Permissions
A permission is the ability to perform an operation on a server. The ability for a user to perform operations on a server is determined by the role they have been assigned for the server. The Web Administration for i roles are defined with the following permissions:
Permissions | Roles | ||
---|---|---|---|
Administrator | Developer | Operator | |
Start/Stop server | x | x | x |
Delete server | x | x | |
Install/Remove applications | x | x | |
Install/Remove Web servicesNote 1 | x | x | |
Start/Stop applications | x | x | x |
Start/Stop Web servicesNote 1 | x | x | x |
Modify server attributes | x | x | |
Modify application attributes | x | x | |
Create database connections | x | x | |
Delete database connections | x | x | |
Modify server tracing | x | x | |
Use Web Performance Advisor | x | x | |
Use Web Performance Monitor | x | x | |
Use Web Log Monitor | x | x | |
Create serverNote 2 | x | ||
Notes:
|
Permissions can be granted to a specific server or to all servers of a certain type. The Web Administration for i interface supports granting permissions to the following types of servers:
- Integrated Web Application Servers
- Integrated Web Services Servers
- WebSphere Application Servers
- HTTP Servers
- If you grant a user permission to create an application server or Web services server, then you must also grant the user permission to create HTTP Servers. This is due to the association between an HTTP Server and the application server or Web services server.
- If you grant a user permissions to an application server or Web
services server, and you do not explicitly grant the user permissions
to the associated HTTP Server(s), the user is automatically granted
the same permissions to the associated HTTP Servers(s). This is also
true in reverse. If you grant a user permissions to an HTTP Server,
and you do not explicitly grant the user permissions to the associated
application server or Web services server, the user is automatically
granted the same permissions to the associated application server
or Web services server. Note: A warning message is displayed on the Web Administration for i interface when permissions are implicitly granted to a user.
- If you attempt to grant a user different permissions to an HTTP
Server and the associated application server or Web services server,
the user is granted the higher permission and both servers get assigned
that permission.Note: A warning message is displayed on the Web Administration for i interface when permissions to servers are upgraded.
If a user has no permissions to any servers, and no permission to create any type of server, then the user is not allowed to access the Web Administration for i interface.