Default MBean security policy
This topic discusses the default managed bean (MBean) security policy. In most cases, MBean developers do not need to specify a security policy.
- A configuration type MBean
- A runtime type MBean
- A deployer type MBean
configRepository.xml
descriptor file,
the configureMBean = "true"
attribute indicates that
the MBean is a configuration type.<MBean type="ConfigRepository"
version="5.0"
platform="common"
description="Management interface for the configuration repository."
configureMBean="true">
EJBModule.xml
descriptor
file, the deployerMBean="true" attribute indicates that the MBean
is a deployer type.<MBean type="EJBModule" j2eeType="EJBModule"
version="5.0"
platform="dynamicproxy"
resourceIdentifierKey="Application"
resourceType="Application"
deployerMBean="true"
description="Management interface for the EJBModule component.">
WebSphere® Application Server extended role-based access control supports role inheritance. Five administrative roles of administrator, configurator, operator, deployer, and monitor exist. The monitor role is the least privileged administrative role. Users that are granted the monitor role can view the WebSphere Application Server configuration and the runtime status, but cannot make any changes. The other administrative roles each have their own unique set of privileges as well as the same privileges as the monitor role.
The configurator role has permission to modify WebSphere Application Server configuration data. The operator role has permission to change the runtime state, such as the start and stop of administrative resources. A configurator role cannot change the runtime status and conversely an operator role cannot change the WebSphere Application Server configuration. The administrator role includes configurator and operator role, but has more permissions than the union of configurator role and operator role. The administrator role can additionally change the administrative security configuration. A simple picture shows the administrative role inheritance relationship. The deployer role is a combination of the configurator and operator roles for application management. The deployer role has both configurator and operator permission for applications. A diagram shows the administrative role inheritance relationship.
INFO
or ACTION
.
Here are some examples:- A get method has an impact value of
INFO
and a write method has an impact value ofACTION
. - In the ConfigRepository MBean, the extract method does not change
the configuration data and has an impact value of
INFO
, while the modify method has an impact value ofACTION
. - In the Java™ virtual machine (JVM) MBean,
which is an operator type of MBean, the ggetCurrentTimeInMillis method
has an impact value of
ACTION
.
A configuration MBean method that has an impact value of INFO
requires
the monitor role. A configuration MBean method that has an impact
value of ACTION
requires the configurator role. A
deployer MBean method that has an impact value of INFO
requires
the monitor role. A deployer MBean method that has an impact value
of ACTION
requires the deployer role. Because
all administrative roles are monitor roles, any administrative role
can access configuration MBean methods and deployer MBean methods
that have an impact value of INFO
. The administrator
role is a configurator role and has access to the configuration MBean
methods that have an impact value of ACTION
.
The default security policy for the configuration MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X |
The default security policy for the operation MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X |
The default security policy for the deployer MBean is summarized in the following table:
Method impact | Monitor role | Operator role | Configurator role | Deployer role | Administrator role |
---|---|---|---|---|---|
INFO | X | X | X | X | X |
ACTION | X | X | X |
If an MBean has both the configureMBean attribute and the deployerMBean
attribute set to true
, the required role for all
actions is either configurator or monitor. No such MBean is presently
defined in the system.