When attempting to do something in WebSphere, such as signing into the WebSphere administrative console (ISC) or restarting an application or creating a new resource, you will need permission to perform the action. WebSphere has different roles, where each role has certain permissions. This article describes the differences between each role in more detail.

The image below illustrates a typical configuration, where WebSphere is configured to get user accounts from the local operating system, from a file on WebSphere (usersRegistry.xml), or from LDAP. Then, users are assigned a role, and the role has certain permissions.

Before assigning roles, you must first have a users account repository that contains users. If you do not yet have a users account repository setup, probably the best place to start is to understand the different types of users repositories that WebSphere can use. Optionally, it usually makes sense to place users in groups, but this can only be done when using a file on WebSphere as the users account repository, which is why the above illustration does not include groups.

Application roles

Be aware that a Java application deployed to WebSphere can be configured with a role. In this example, the Java app has a role called Authenticated.

<security-role> 
  <role-name>Authenticated</role-name>
</security-role>

Then, the role is mapped to a user or group in WebSphere. This type of role is different from the roles described above. I only mention this here so that you recognize the difference between a role in a Java application vs. a WebSphere administrative role. Refer to this article for more details on how to map a role in a Java app to a group or user.

Primary administrative user role

When you configured the users account repository that WebSphere will use, you were prompted to assign a user as the primary administrative user. This can be seen by navigating to Users and Groups > Administrative user roles. In this example, root is the primary administrative user, which means that root has the administrator role, and thus, root has full control.

Other users role

By default, every other user in the users account repository is not assinged any role, meaning that the user has no permission. When you need to give a user in the users account repository permission, you need to assign a role to the user. This is done by navigating to Users and Groups > Administrative user roles > Add > select a user, and you will be presented with a form where you can assign the user a role. In this example, user jeremy is assigned to the Operator role.

Create Group Roles

After creating a new group, you'll need to assign a role to the group. In the left panel of the web console, expand Users and Groups and select Administrative group roles. Then, assign a role to a group. For example, you would assign the Configurator role to the Configurators group.