Administration Tip: separation of IT Admins from Jazz users in WAS

The deployment of the Jazz CLM solution in WebSphere Application Server requires that the Administrative Security as well as the Application Security are enabled and configured to be used by the Jazz platform. When planning the deployment in this application server there is a need for defining user registry to be configured and the mapping of users and groups in the user registry with the different Jazz repository roles: JazzAdmins, JazzProjectAdmins, JazzUsers, JazzDWAdmins and JazzGuests.

This task can be time consuming depending on how your user registry is organized,  where the users reside, and how flexible is your organization in performing modifications of the registry to fit your Jazz roles mapping (for instance creating new LDAP group if needed). Therefore you will usually face the need of integrating user registries from different sources. There are a couple of interesting Jazz articles covering how to use WAS Federated Repositories to overcome this configuration issue:

Tip: Advanced configuration of WebSphere with Federated Realm

Tip: Configuring WAS with Federated realm

In this security deployment planning, there is also another role I get usually asked for: what about the WAS administrators itself? By default, all administrative and user applications in WebSphere Application Server use the same global security configuration. So once you have decided and configured the registry to be used for your CLM applications, this will be also the registry for administering WAS. At that point you can identify the users and roles within your registry for WAS administration:

Users and groups security admins definition in WAS console

In addition to this possibility, starting as of WAS v7 (yes, it’s been a while already), there is a new security capability called Security Domains. This feature allows administrators to define multiple security configurations for use in a cell or application server. In other words, you can define a security configuration for the server that will host your CLM deployment, and a different one for the WebSphere Application Server itself:

This feature offers a great flexibility and options from WebSphere point of view. For your CLM deployment, it allows you to focus on defining the user registry your Jazz deployment will use with no impact to the default WebSphere administration security configuration that your enterprise uses.

Quick note: for any newcommer, in a CLM installation the Jazz Team Server is the application responsible for the user registry management providing these services to the Jazz applications registered with it. Jazz Team Server itself it’s built to use Java EE container managed authentication, which means that JTS doesn’t authenticates the users, but it is the application server instead the one in charge of this task. This can be Tomcat using its native registry files (tomcat-user.xml), authenticating against the LDAP registry or WebSphere Application Server with any of the different mechanisms it can provide. For further information check:

TN0013: Jazz Team Server Authentication Explained

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s