Mapping security roles to users and groups in WebSphere Application Server Liberty

About this task

When the dynamic workload broker instance is installed on your master domain manager, corresponding roles are set up in WebSphere Application Server Liberty. By default, these roles are not used. However, the authorization required to perform any tasks is always validated by WebSphere Application Server Liberty. Users are required to provide credentials for managing resources and job definitions using the resource and jobstore commands. These credentials correspond to existing users defined in the domain user registry or the LDAP server.

To allow users and groups to access the dynamic workload broker functions, they must be mapped to the security roles in WebSphere Application Server Liberty. This mapping allows those users and groups to access applications defined by the role. At installation time, the HCL Workload Automation administrative user (wauser) is assigned the Administrator role in WebSphere Application Server Liberty. The following roles are also created but they are not assigned to any users nor groups:
Operator
Monitors and controls the jobs submitted.
Administrator
Manages the scheduling infrastructure.
Submitter
Manages the submission of their own jobs and monitors and controls the job lifecycle. This is the typical role for an HCL Workload Automation user.

HCL Workload Automation acts as submitter of jobs to the HCL Workload Automation dynamic agent.

Configurator
Is the entity responsible for running the jobs on a local environment.
To map security roles to users and groups on the WebSphere Application Server Liberty, edit the broker_role_mapping.xml file located the following paths, based on your operating system:
On Windows operating systems
<MDM_installation_directory>\usr\servers\engineServer\configDropins\defaults
On UNIX operating systems
<MDM_installation_directory>/usr/servers/engineServer/configDropins/defaults/

You can edit the file to associate users and groups to the Operator, Administrator, Developer, or Submitter roles, as follows:

  1. Copy the template file from the templates folder to a working folder.
  2. Edit the template file in the working folder with the desired configuration.
  3. Optionally, create a backup copy of the relevant configuration file present in the overrides directory in a different directory. Ensure you do not copy the backup file in the path where the template files are located.
  4. Copy the updated template file to the overrides folder. Maintaining the original folder structure is not required.
  5. Changes are effective immediately.

To enable all users to use the dynamic workload broker commands, remove the comment from the <special-subject type="ALL_AUTHENTICATED_USERS"/> string, otherwise, specify the list of users or groups for each role. See the example in Examples to find out how to associate roles to specific users or to all authenticated users.