Chapter 13: Security Configuration Tasks  Configuring OS authentication

Chapter 13: Security Configuration Tasks

Configuring EAServer roles

EAServer’s authorization model is based on roles, which are defined in EAServer Manager. Each role can include and exclude specific user names or digital IDs. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

Roles are attached to EAServer packages and components. A package or component’s role controls access as follows:

You must either refresh or restart EAServer for any role changes to take effect.

StepsRefreshing EAServer

  1. Highlight the Roles folder.

  2. Select File | Refresh.

StepsDefining a new role

  1. Highlight the Roles folder.

  2. Select File | New Role. Enter the required information in the subsequent dialogs:

StepsDeleting an existing role

  1. Highlight the Roles folder. You see a list of existing roles.

  2. Highlight the role you want to delete.

  3. Right-click the role and select Delete. This option is available only to the owner of the role or the jagadmin user.

  4. Click Yes to confirm deletion of the selected role.

NoteOnly the owner or a member of the role named Admin Role can delete a role, except for Admin Role itself, which cannot be deleted. See “Admin role in EAServer” for more information.

StepsModifying an existing role

  1. Highlight the Roles folder. You see a list of existing roles.

  2. Highlight the role you want to modify.

  3. Select File | Properties.

  4. Make your modifications and click OK.

StepsAdding an existing role, or creating and adding a new role to a package, component, or method

  1. Double-click the icon for the package, component, or method to expand the folders beneath it. Highlight the Role Membership folder.

  2. Select File | Install Role. Then select one of the following options from the Role wizard:

NoteA package, component, or method with no roles or role memberships defined has no access restrictions.


Assigning users and groups to roles

Each role can include and exclude specific user names and digital IDs. If you use native operation system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

StepsAssigning authorized users to a role of a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role to which you want to add authorized users.

  4. Highlight the Authorized User folder.

  5. Select File | Add Authorized User.

  6. Enter the name of the authorized user in the dialog, and click Add Authorized User. On Windows, you can provide the name of the domain as part of the authorized user name; for example, \\domain_name\user_name. The user is authenticated using the domain name controller for that domain.

The user’s name appears on the right side of the window when you highlight the Authorized Users folder.

To remove an existing authorized user, highlight the member and select File | Remove Member.

StepsAssigning authorized groups to a role of a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role to which you want to add authorized groups.

  4. Highlight the Authorized Group folder.

  5. Select File | Add Authorized Group.

  6. Enter the name of the authorized group in the dialog, and click Add Authorized Group.

The group’s name appears on the right side of the window when you highlight the Authorized Groups folder.

To remove an existing authorized group, highlight the member and select File | Remove Member.

NoteThe users and groups of a role are mapped to operating system users and groups. To validate users and groups, you must click Enable User and Group Validation from the server’s Security property sheet. You can only add validated groups to roles. When Enable User and Group Validation is disabled, package and component authorizations stop at the user level. There is no attempt to check group level authorization.

StepsAssigning authorized digital IDs (certificates) to a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role to which you want to add authorized digital IDs.

  4. Highlight the Authorized Digital IDs folder.

  5. Select File | Add Authorized Digital ID.

  6. A list of digital IDs appears. Double-click the name of the digital ID that you want to authorize, and click Add Authorized Digital ID.

    Only certificates that appear in the EAServer Manager | Certificate folder | User Certificates folder and Other Certificates folder can be authorized. This requires that you install the certificate using EAServer Manager | Certificate folder. See Chapter 14, “Managing Keys and Certificates” for more information.

The user’s name appears on the right side of the window when the Authorized Digital IDs folder is highlighted.

To remove an existing authorized digital ID, highlight the member and select File | Remove Member.

You can verify, export, or view information about an authorized digital ID by highlighting the digital ID and selecting the corresponding option from the file menu. See Chapter 14, “Managing Keys and Certificates” for more information about these options.

StepsExcluding users from a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role from which you want to exclude users.

  4. Highlight the Excluded User folder.

  5. Select File | Add Excluded User.

  6. Enter the name of the excluded user in the dialog, and click Add Excluded User. On Windows, you can provide the name of the domain as part of the excluded user name; for example, \\domain_name\user_name. The user is authenticated using the domain name controller for that domain.

The user’s name appears on the right side of the window when the Excluded Users folder is highlighted.

To remove an existing excluded user, highlight the member and select File | Remove Member.

StepsExcluding groups from a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role from which you want to exclude groups.

  4. Highlight the Excluded Group folder.

  5. Select File | Add Excluded Group.

  6. Enter the name of the excluded group in the dialog box, and click Add Excluded Group.

The group’s name appears on the right side of the window when you highlight the Excluded Groups folder.

To remove an existing excluded group, highlight the member and select File | Remove Member.

StepsExcluding digital IDs (certificates) from a component or a package

  1. Double-click the component or package to which the role belongs.

  2. Highlight the Roles folder.

  3. Double-click the role from which you want to exclude digital IDs.

  4. Highlight the Excluded Digital IDs folder.

  5. Select File | Add Excluded Digital ID.

  6. A list of digital IDs appears. Double-click the name of the digital ID that you want to exclude, and click Add Excluded Digital ID.

    Only certificates that appear in the EAServer Manager | Certificate folder | User Certificates folder and Other Certificates folder can be excluded. This requires you to install the certificate using EAServer Manager | Certificate folder. See Chapter 14, “Managing Keys and Certificates” for more information.

The user’s name appears on the right side of the window when the Excluded Digital IDs folder is highlighted.

To remove an existing excluded authorized digital ID, highlight the member and select File | Remove Member.

You can verify, export, or view information about an excluded digital ID by highlighting the digital ID and selecting the corresponding option from the file menu.


Determining authorization

The following order is used to determine role based authorization:

  1. If the user is authorized, the search terminates and authorization is granted.

  2. If the user is excluded, the user is declined access to the resource.

  3. If the user is in an authorized group:

    1. Check if the role is a member of the authorized group.

    2. If this check succeeds, check if the role is a member of an excluded group list—if not, grant access to the resource.

Purpose of excluded lists

Excluded lists simplify the task of granting authorization to a small number of users by denying access to the users based on their user names and not the authorized groups to which they belong when using group-based authorization.

NoteIf a user is a member of an excluded user or group list, EAServer does not invoke the Role Service (CtsSecurity/RoleService) if defined for that server.


Predefined roles

EAServer includes a number of predefined, read-only roles that you can use to facilitate authorization to EAServer resources. Role names are case sensitive and include:

ServiceControl Prevents clients from invoking service components.

anonymous Allows access to an ‘anonymous’ user.

everybody Allows access to all authenticated users.

system Prevents access by any client. The system user is a member, so components with this role can run as EAServer services.

nobody Prevents all access to a method or component. No user is a member of this role, not even the EAServer system user.


Admin role in EAServer

Every EAServer contains an Admin package and an Admin role. You must be a member of the Admin role to run EAServer Manager.

Initially, only jagadmin is a member of this role. The jagadmin user can set up additional members.

Even though other users can belong to the Admin role and run EAServer Manager, only the jagadmin user can:

  1. Set the following options from EAServer Manager | Servers folder | server_name | Properties | Security tab:

  2. Modify users, groups, or digital IDs belonging to the EAServer Manager | Roles | Admin role.

StepsGranting permissions to EAServer roles

Beginning with EAServer 5.0, members of the Admin role can use EAServer Manager or jagtool to grant permissions to other EAServer roles; for example, permission to start or shut down a server.

NoteAlthough users with the Admin role can grant permission to other roles to perform certain tasks, these tasks must be performed using jagtool because only members of the Admin role can access EAServer Manager.

  1. In EAServer Manager, expand the Roles folder, highlight the role to which you want to grant permissions, right-click, and select Properties.

  2. In the Role Properties dialog box, select any of the tabs described below.

    Application Authorities To grant users with the current role permission to create, modify, or delete an application, select Add Application, and enter the application name.

    To remove an application from the list of those that users with this role have permission to access, highlight the application name, and select Delete Application.

    Package Authorities To grant users with the current role permission to create, modify, or delete a package, select Add Package, and enter the package name.

    To remove a package from the list of those that users with this role have permission to access, highlight the package name, and select Delete Package.

    Server Authorities To authorize users with the current role permission to perform an action on the server, select the action:

    To revoke permission to perform an action, unselect the action.

    Servlet Authorities To grant users with the current role permission to create, modify, or delete a servlet, select Add Servlet, and enter the servlet name.

    To remove a servlet from the list of those that users with this role have permission to access, highlight the servlet name, and select Delete Servlet.

    Web Application Authorities To grant users with the current role permission to create, modify, or delete a Web application, select Add Web Application, and enter the Web application name.

    To remove a Web application from the list of those that users with this role have permission to access, highlight the Web application name, and select Delete Web Application.

For information about using jagtool to grant and revoke permissions, see the reference pages for the commands grantroleauth or removeroleauth in Chapter 12, “Using jagtool and jagant,” in the EAServer System Administration Guide.





Copyright © 2005. Sybase Inc. All rights reserved. Configuring OS authentication