User profile requirements to use the Web Administration for i interface

By default, only users with *ALLOBJ and *IOSYSCFG special authorities can manage and create Web-related servers on the system through the use of the IBM® Web Administration for i interface. Web-related servers include instances of IBM HTTP Server, WebSphere Application Server, Integrated Application Server, and Integrated Web Services Server. A user without the necessary IBM i special authorities to manage or create Web-related servers requires an administrator to grant that user permission to a server or group of servers.

To be able to access the Web Administration for i interface, the IBM i user profile used to sign on must meet at least one of the following conditions:

The user profile has *ALLOBJ and *IOSYSCFG special authorities.
The user profile has been granted permission to an entire class of servers, or a specific server.
The user profile has been granted permission to create servers.

For example, if a user wants to create an HTTP server using the Web Administration for i interface, the user profile must either have *ALLOBJ and *IOSYSCFG special authorities, or have permission to create HTTP servers.

Only users with *ALLOBJ and *IOSYSCFG special authority are allowed to grant, revoke, or manage user permissions. The granting of permissions to a user profile is done through the Web Administration for i interface by giving user profiles that need to access the Web Administration for i interface roles to specific servers or a class of servers.

Note: Granting *ALLOBJ authority to a user profile or using the QSECOFR user profile to access the Web Administration for i interface is not recommended.

Roles

Roles define a set of permissions that define what operations a user is allowed to perform on a server. The Web Administration for i interface defines the following roles:

Administrator: Any IBM i user profile with *ALLOBJ and *IOSYSCFG special authority is identified with the role of Administrator. An Administrator has unrestricted use of every feature in the Web Administration for i interface, including the ability to manage user permissions. An Administrator cannot be assigned any other role.
Note: A user profile cannot be assigned this role.
Developer: Is allowed to view and modify a server, including the ability to delete a server. A Developer can use Web Performance Monitor and Web Performance Advisor, but cannot change system-wide settings, such as memory pool allocations.
Operator: Is allowed to view a server, including the capability to start and stop a server. In addition, an Operator is allowed to modify trace settings for a server.

If a user with a role of Developer or Operator has no role assigned to them for a server, they are not allowed to view the server or any of its attributes.

Permissions

A permission is the ability to perform an operation on a server. The ability for a user to perform operations on a server is determined by the role they have been assigned for the server. The Web Administration for i roles are defined with the following permissions:

Table 1. Permissions corresponding to each role.
Permissions	Roles
Permissions	Administrator	Developer	Operator
Start/Stop server	x	x	x
Delete server	x	x
Install/Remove applications	x	x
Install/Remove Web services^{Note 1}	x	x
Start/Stop applications	x	x	x
Start/Stop Web services^{Note 1}	x	x	x
Modify server attributes	x	x
Modify application attributes	x	x
Create database connections	x	x
Delete database connections	x	x
Modify server tracing	x	x
Use Web Performance Advisor	x	x
Use Web Performance Monitor	x	x
Use Web Log Monitor	x	x
Create server^{Note 2}	x
Notes: Web services deployed within integrated Web services servers. An administrator granting permissions to a user profile needs to explicitly grant the create-server permission.

Only an Administrator can grant permissions. The granting of permissions to a user profile is done through the Web Administration for i interface by giving user profiles that need to access the Web Administration for i interface roles to specific servers or a class of servers.

Note: If a user creates a server, they are automatically assigned the role of Developer to the newly created server.

Permissions can be granted to a specific server or to all servers of a certain type. The Web Administration for i interface supports granting permissions to the following types of servers:

Integrated Web Application Servers
Integrated Web Services Servers
WebSphere Application Servers
HTTP Servers

When granting permissions, you should be aware of the following points:

If you grant a user permission to create an application server or Web services server, then you must also grant the user permission to create HTTP Servers. This is due to the association between an HTTP Server and the application server or Web services server.
If you grant a user permissions to an application server or Web services server, and you do not explicitly grant the user permissions to the associated HTTP Server(s), the user is automatically granted the same permissions to the associated HTTP Servers(s). This is also true in reverse. If you grant a user permissions to an HTTP Server, and you do not explicitly grant the user permissions to the associated application server or Web services server, the user is automatically granted the same permissions to the associated application server or Web services server.
Note: A warning message is displayed on the Web Administration for i interface when permissions are implicitly granted to a user.
If you attempt to grant a user different permissions to an HTTP Server and the associated application server or Web services server, the user is granted the higher permission and both servers get assigned that permission.
Note: A warning message is displayed on the Web Administration for i interface when permissions to servers are upgraded.

If a user has no permissions to any servers, and no permission to create any type of server, then the user is not allowed to access the Web Administration for i interface.