Configuring JEE Security

You use the authentication system in your application server to authorize users to access Redwood Server. Redwood Server retrieves the roles of users when they attempt to log in. When a user does not have at the least the scheduler-user role, log-on will be denied. You have to create the following core roles in your application server authentication system and grant them to users that are to access Redwood Server.

The following standard roles are provided with Redwood Server:

Core roles (always required):

• scheduler-administrator - can perform all actions.
• scheduler-bae-only-user - indicates that the user account is restricted to logging in via the SAP Inbound interface, only.
• scheduler-isolation-administrator - can import and modify users.
• scheduler-screen-reader - indicates that you are using a screen reader.
• scheduler-user - has access to Redwood Server only, cannot see any objects (always required, even for administrators).
• scheduler-viewer - read only access to all objects.

The user access roles are bound to features that require a specific license key:

• scheduler-business-user - can access the business-user-centric user interface.
• scheduler-it-user - can access the it-user-centric user interface.

Predefined roles (optional):

• scheduler-event-operator - can raise and clear events, as well as all privileges assigned to scheduler-viewer.
• scheduler-job-administrator - can create/edit/delete event definitions, process definitions, and chain definitions and modify both processes, and chains, as well as all privileges assigned to scheduler-event-operator.

note

If you get an HTTP error 403 - Access Denied after logging in, your user may be lacking the scheduler-user role.

Fine-grained security is available inside Redwood Server.

Hybrid JEE Authentication and LDAP Authorization

This advanced use case allows you to authenticate users against the application server and storing user-role relationships in an LDAP directory. This is an advanced authentication and authorization method which requires Redwood Support Services involvement. To implement this authentication method, you first proceed with connection Redwood Server to your LDAP system as outlined in Configuring LDAP. You then use the registry editor in the admin server to change the /configuration/security registry entry from external.ldap to jee.ldap.

Procedure

1. Security model for the security realm in use needs to be Advanced. Verify: Security Realms > myrealm > Security Model Default is set to Advanced.
2. When deploying the application, select Advanced as the security model. You can confirm the current security model by navigating to Deployments and then scheduler-ear.ear (note that this may be on the second or subsequent pages).
3. If this is not Advanced, stop, delete and redeploy the application as advanced.
4. Navigate to Security Realms > myrealm, and choose the Users and Groups tab. Check that the following groups exist:
5. scheduler-user.
6. scheduler-it-user.
7. scheduler-administrator.
8. scheduler-isolation-administrator.
9. If any of them does not exist, create them.
10. Now you need to set up new enterprise application scoped roles. From the same page as step 2, navigate to the Security tab.
11. Choose New to add a new role. Name the role scheduler-it-user and choose OK.
12. Choose the role you just created, and then choose Add Conditions.
13. Choose group from the drop down, and choose Next.
14. For Group Argument name type scheduler-it-user, and choose Add.
15. Choose Save.
16. Try to log in as that user.
17. If you want another custom role/group to work (including scheduler-business-user) repeat steps 4-10 for that specific role and group.

See Also

• External Security Systems
• Lightweight Directory Access Protocol (LDAP)
• Configuring Redwood Server for LDAP Authentication
• Configuring LDAP
• Database Authentication

onsiteTopic