Filter
Top Products
Roles
A role denes which applications and what parts of each application users can access and what
they can do. In other words, roles determine users' authorization levels.
For example, in a personnel application all employees might have access to phone numbers and
email addresses, but only managers would have access to salary information. The application
might dene at least two roles: employee and manager; only users in the manager role are
allowed to view salary information.
A role is dierent from a user group in that a role denes a function in an application, while a
group is a set of users who are related in some way. For example, in the personnel application
there might be groups such as full-time, part-time, and on-leave , but users in all these
groups would still be in the employee role.
Roles are dened in application deployment descriptors. In contrast, groups are dened for an
entire server and realm. The application developer or deployer maps roles to one or more
groups for each application in its deployment descriptor.
Realms
A realm, also called a security policy domain or security domain, is a scope over which the server
denes and enforces a common security policy. In practical terms, a realm is a repository where
the server stores user and group information.
The Enterprise Server comes precongured with three realms: file (the initial default realm),
certificate, and admin-realm. It is possible to also set up ldap, JDBC, solaris, or custom
realms. Applications can specify the realm to use in their deployment descriptor. If they do not
specify a realm, the Enterprise Server uses its default realm.
In the file realm, the server stores user credentials locally in a le named keyfile. You can use
the Admin Console to manage users in the file realm.
In the certificate realm, the server stores user credentials in a certicate database. When
using the certificate realm, the server uses certicates with the HTTPS protocol to
authenticate Web clients. For more information about certicates, see
“Introduction to
Certicates and SSL” on page 108
.
The admin-realm is also a FileRealm and stores administrator user credentials locally in a le
named admin-keyfile. Use the Admin Console to manage users in this realm in the same way
you manage users in the file realm.
In the ldap realm the server gets user credentials from a Lightweight Directory Access Protocol
(LDAP) server such as the Directory Server. LDAP is a protocol for enabling anyone to locate
organizations, individuals, and other resources such as les and devices in a network, whether
on the public Internet or on a corporate intranet. Consult your LDAP server documentation for
information on managing users and groups in the ldap realm.
UnderstandingUsers,Groups,Roles,and Realms
SunGlassFishEnterpriseServer2.1AdministrationGuide • December2008106