HCL Workload Automation, Version 9.4

Mapping security roles to users and groups in WebSphere Application Server

About this task

When the dynamic workload broker instance is installed on your master domain manager, corresponding roles are set up in WebSphere Application Server. By default, these roles are not used. However, if you enable global security in your environment, the authorization required to perform any tasks is always validated by WebSphere Application Server. Users are required to provide credentials for accessing dynamic scheduling tasks. These credentials correspond to existing users defined in the domain user registry or the LDAP server.

To allow users and groups to access the dynamic workload broker functions when global security is enabled, they must be mapped to the security roles in WebSphere Application Server. This mapping allows those users and groups to access applications defined by the role. At installation time, the following actor roles are created in the WebSphere Application Server:
Operator
Monitors and controls the jobs submitted.
Administrator
Manages the scheduling infrastructure.
Developer
Defines the jobs to be run specifying the job parameters, resource requirements, and so on.
Submitter
Manages the submission of their own jobs and monitors and controls the job lifecycle. This is the typical role for a HCL Workload Automation user.

HCL Workload Automation acts as submitter of jobs to the HCL Workload Automation dynamic agent.

Configurator
Is the entity responsible for running the jobs on a local environment.

To map security roles to users and groups on the WebSphere Application Server you must modify the BrokerSecurityProps.properties file using the changeBrokerSecurityProperties script.

To avoid the risk of changing a configuration value inadvertently or of overwriting the latest changes, you should always first create a file containing the current properties, edit it to the values you require, and apply the changes. Proceed as follows:
  1. Log on to the computer where HCL Workload Automation is installed as the following user:
    UNIX
    root
    Windows
    Any user in the Administrators group.
  2. Access the directory: <TWA_home>/wastools
  3. Stop the WebSphere Application Server using the conman stopappserver command (see Starting and stopping the application server and appservman)
  4. From that same directory run the following script to create a file containing the current broker security properties:
    UNIX
    showBrokerSecurityProperties.sh > my_file_name
    Windows
    showBrokerSecurityProperties.bat > my_file_name
  5. Edit my_file_name with a text editor.
  6. Edit the properties as you require. For each of the roles in the file, you can set the following properties:
    Everyone?
    Possible values:
    • Yes: Every user is authorized to perform tasks for the role. No check is performed on the WebSphere Application Server user registry.
    • No : Access is denied to users not defined in the WebSphere Application Server user registry.
    All authenticated?
    Possible values:
    • Yes: All users belonging to the current WebSphere Application Server user registry who have been authenticated can access resources and tasks for the role. This is the default value.
    • No : Access is granted only to those users and groups defined in the WebSphere Application Server user registry and listed in the mapped user and mapped group properties.
    Mapped users
    If specified, one or more users separated by the vertical bar symbol (|). This field can be left blank.
    Mapped groups
    If specified, one or more groups separated by the vertical bar symbol (|). This field can be left blank.
  7. Save the file my_file_name.
  8. Run the script:
    Windows
    changeBrokerSecurityProperties.bat my_file_name
    UNIX
    changeBrokerSecurityProperties.sh my_file_name
    where my_file_name is the fully qualified path of the file containing the new parameters.

    The properties are updated, according to the rules given in the descriptions of each property type.

  9. Start the WebSphere Application Server using the conman startappserver command (see Starting and stopping the application server and appservman)
  10. Check that the change has been implemented.
Note:
  1. If the mapped user or group names contain blanks, the entire user or group list must be specified between double quotation marks ("). For example, if you want to add the users John Smith, MaryWhite and DavidC to the developer role, you specify them as follows: 
    Role: Developer
Everyone?: No
All authenticated?: No
Mapped users:"John Smith|MaryWhite|DavidC"
Mapped groups:
  2. In the file there is an additional default role named WSClient which you must leave as is.