Tighter controls exist for the roles required to access or operate on a service when it is accessed via the Services folder in the Systems Management Console. To configure these roles, you must edit the XML file that is used to start and configure the service. Every service can be assigned a set of read roles, and another set of update (execute) roles. If a service has no associated roles, it defaults to the values defined on the servlet’s Init-Params tab.
To assign a set of roles to a service, edit the appropriate XML file, and change the service definition. The XML files are located in the Systems Management ROOT directory; the EAServer service XML file is eas.xml.
Assume that you want to require that to view the EAServer service, users must have been granted either the ReadRole or Admin Role, and to do anything to the service (execute a method, or change an attribute) users need either the UpdateRole or Admin Role. To configure this scenario, the contents of eas.xml should look something like this:
<service name="EAS" type="product" mbean="sybase.system.service:Type=EAS,Name=Jaguar" startmode="automatic" readroles="ReadRole, Admin Role" updateroles="UpdateRole, Admin Role" </service>
Instead of specifying “Admin Role,” you can use “+” to indicate the default role or roles specified on the servlet’s Init-Params tab.
In this example, to see and update the EAServer service, you must be granted either Admin Role, or both ReadRole and UpdateRole. If you are granted only ReadRole, you can view the EAServer service details but not update it. If you are granted only UpdateRole, you cannot see the service, so you cannot update it either.
For more information about user roles, see the EAServer Security Administration and Programming Guide. If Enterprise Security is installed, see also the Enterprise Security Administration Guide.
