Mapping Users to Groups

This article describes how Users are mapped to Groups using the default UserManager.

Introduction
Overview
Configuring the mapping of Users to Groups
Configuring Group-membership mapping using the console

1 Introduction

This article describes how Users are mapped to Groups using the default UserManager in the Orion Application Server.

2 Overview

Orion handles security identities through the notion of Groups and Users. A Group can consists of a number of Users.

A J2EE application uses Roles to define access to resources within the application. These Roles are then mapped to the Groups and/or Users defined in the Orion Application Server. The J2EE specification defines Roles but do not define how these should be mapped to security identities in the Application Server. The notion of Groups and Users are therefore Orion specific, as is the procedure of adding Groups and Users as well as mapping Users to Groups.

3 Configuring the mapping of Users to Groups

With a Group defined along with a User it is very easy to map these security identities together. By addding a User to a Group, the User is given any permissions that the Group contains and will be considered part of the Role that the Group is mapped to in any tests performed by the Application it is part of (or test carried out by the Container in behalf of the Application).

Mapping a User to a Group can be done either in a single Application or in the global Application. If it is done in a single Application (by manipulating the principals.xml file of the Application manually or by using the Orion Console), the mapping is valid for the specific Application only. If, on the other hand, this mapping is defined in the global application (by manipulating the global applications principals.xml file manually or by using the Orion Console), the mapping is valid for all Applications deployed (or redeployed) after that the mapping was added/changed/removed.

A sample mapping is shown in listing 1 below:

<principals>
<groups>
<group name="administrators">
<description>administrators</description>
<permission name="administration" />
</group>
<group name="guests">
<description>guests</description>
</group>
<group name="users">
<description>users</description>
<permission name="rmi:login" />
</group>
</groups>
<users>
<user username="user" password="abc">
<group-membership group="users" />
</user>
</users>
</principals>

Listing 1, A sample User to Group mapping.

In the listing above, 3 groups are defined; "administrators" with the right to administrate the server, "guests" who are the default group for anonymous access and "users" with the right to login to the server over RMI (see this article for more information about configuring Groups).

Listing 3 above also defines a User with the name of "user" and a password of "abc", that should be mapped to the Group named "users".

The mapping is done by adding a "group-membership" sub-tag to the "user" tag in the principals.xml file as shown in listing 3 above. Notice that any number of "group-membership" sub-tags can be given to a "user" tag, therefore making it possible to map a single User to any number of Groups.

If a local user should be added to a global Group, the Application local principals.xml file should not define a Group with the same name as the global Group. The User should be given a group-membership with the name of the global Group.

4 Configuring Group-membership mapping using the console

This section describes how to use the Orion Console to configure Group-memberships. The topics covered are:

Adding a new Group-membership
Removing a Group-membership

4.1 Adding a new Group-membership

This section describes how to use the Orion Console to add a new Group-membership to an Application.

These step-by-step instructions requires that there already are a User and a Group defined in the Application. Information about how to use the Orion Console to configure Users can be found here. Information about how to use the Orion Console to configure Groups can be found here.

Select the Application that a new Group-membership should be added to.
Select the "Users" node in the exploded list of nodes for the Application.

This should open up a Users and Group view in the right part of the Console.
Select the User that should be given a new Group-mapping from the list of Users.

This should enable the 'Configure' button.
Click the "Configure" button.

This should open a User-configuration window where User information can be edited.
Click the 'Add to Group' button.

This should open a popup window where the name of a Group can be selected from a list of available Groups.
Select the Group that the User should be mapped to in the list of avaialable Groups in the popup-window.
Press the 'OK' button in the popup window.
Press the 'OK' button to close the User-configuration window.

The new Group-mapping should now be configured. To confirm, open the User-configuration window and verify that the Group name is listed amongst the groups that the User is mapped to.

4.2 Removing a Group-membership

This section describes how to use the Orion Console to remove a Group-membership from an Application.

Select the Application that the Group-membership should be removed from.
Select the "Users" node in the exploded list of nodes for the Application.

This should open up a Users and Group view in the right part of the Console.
Select the User that the Group-mapping should be removed from in the list of Users.

This should enable the 'Configure' button.
Click the "Configure" button.

This should open a User-configuration window where User information can be edited.
Select the Group-mapping to remove from the list of Group-mappings.

This should enable the 'Delete secleted' button
Click the 'Delete selected' button.

The name of the group that the Group-mapping implied should be removed from the list of Group-mappings
Press the 'OK' button to close the User-configuration window.

The Group-mapping should now be removed. To confirm, open the User-configuration window and verify that the Group name is no longer listed amongst the groups that the User is mapped to.