Chapter 11 Security Configuration Tasks
EAServer's authorization model is based on roles , which are defined in Jaguar Manager. Each role can include and exclude specific user names or digital IDs. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.
To include or exclude a digital ID, it must appear in either the Security Manager's User Certificate folder, or the Other Certificate folder.
Roles are attached to EAServer packages and components. A package or component's role controls access as follows:
You must either refresh or restart EAServer for any role changes to take effect.
Refreshing EAServer
Defining a new role
Deleting an existing role
Only the owner or a member of the role named Admin Role can delete a role, except for Admin Role itself, which cannot be deleted. See "Admin role in EAServer " for more information.
Modifying an existing role
Adding an existing role, or creating and adding a new role to a package, component, or method
A package, component, or method with no roles or role memberships defined has no access restrictions.
Each role can include and exclude specific user names and digital IDs. If you use native operation system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.
Assigning authorized users to a role of a component or a package
The user's name appears on the right side of the window when you highlight the Authorized Users folder.
To remove an existing authorized user, highlight the member and select File | Remove Member.
Assigning authorized groups to a role of a component or a package
The group's name appears on the right side of the window when you highlight the Authorized Groups folder.
To remove an existing authorized group, highlight the member
and select
File | Remove Member.
The users and groups of a role are mapped to operating system users and groups. To validate users and groups, you must click Enable User and Group Validation from the server's Security property sheet. You can only add validated groups to roles. When Enable User and Group Validation is disabled, package and component authorizations stop at the user level. There is no attempt to check group level authorization.
Assigning authorized digital IDs (certificates) to a component or a package
The user's name appears on the right side of the window when the Authorized Digital IDs folder is highlighted.
To remove an existing authorized digital ID, highlight the member and select File | Remove Member.
You can verify, export, or view information about an authorized digital ID by highlighting the digital ID and selecting the corresponding option from the file menu. See Chapter 12, "Managing Keys and Certificates" for more information about these options.
Excluding users from a component or a package
The user's name appears on the right side of the window when the Excluded Users folder is highlighted.
To remove an existing excluded user, highlight the member and select File | Remove Member.
Excluding groups from a component or a package
The group's name appears on the right side of the window when you highlight the Excluded Groups folder.
To remove an existing excluded group, highlight the member and select File | Remove Member.
Excluding digital IDs (certificates) from a component or a package
The user's name appears on the right side of the window when the Excluded Digital IDs folder is highlighted.
To remove an existing excluded authorized digital ID, highlight the member and select File | Remove Member.
You can verify, export, or view information about an excluded digital ID by highlighting the digital ID and selecting the corresponding option from the file menu.
The following order is used to determine role based authorization:
Excluded lists simplify the task of granting authorization to a small number of users by denying access to the users based on their user names and not the authorized groups to which they belong when using group-based authorization.
If a user is a member of an excluded user or group list, EAServer does not invoke the Role Service (CtsSecurity/RoleService) if defined for that server.
EAServer includes a number of predefined, read-only roles that you can use to facilitate authorization to EAServer resources. Role names are case sensitive and include:
ServiceControl Prevents clients from invoking service components.
anonymous Allows access to an 'anonymous' user.
everybody Allows access to all authenticated users.
system Prevents access by any client. The system user is a member, so components with this role can run as EAServer services.
nobody Prevents all access to a method or component. No user is a member of this role, not even the EAServer system user.
Every EAServer contains an Admin package and an Admin role. You must be a member of the Admin role to run Jaguar Manager or Security Manager.
Initially, only jagadmin is a member of this role. The jagadmin user can set up additional members.
Copyright © 2002 Sybase, Inc. All rights reserved. |