Configuring roles

This section describes how to add roles to a domain and control role membership.

The EAServer authorization model is based on roles, which are defined in the Sybase Management Console. Each role can include and exclude specific user names or digital IDs. If you use native operating system authentication, you can also include and exclude operating system group names; all users in the specified group are affected.

All roles belong to the default security domain. For example, role1@system would not exist.

There are a couple of things to keep in mind when configuring roles:

1. You do not need to specify a domain name when defining a role, since all roles belongs in the default domain.

2. Role changes take effect after a Security Domain refresh. But the permissionCacheTimeout is relevant, successful and failed authorization results are cached and even after a refresh of the domain, it requires waiting for the timeout before cached results for any given user are automatically dropped.

3. A user can only be authorized by the domain to which it belongs. Authentication and authorization are limited to a domain for the particular user.

4. foo@default and foo@system are considered the same as far as authorization, although they are different entities in the server. For example:

   1. You can create and authorize a user called testuser@default to access the Sybase Management Console.

   2. There is a user called testuser@default. Since testuser belongs to the default security domain, you must create a role called admin-role and add the user to the newly created role.

   3. Since the Sybase Management Console is authorized only by admin-role, testuser@default is authorized.

You must either refresh or restart EAServer for any role changes to take effect.

1. From the Web Management Console, expand the Security folder.

2. Right-click the Roles folder and select Add.

3. Follow the New Role wizard instructions to define a new role. When prompted for Security Role Name, enter the name of a role in the form role_name. The role is assigned to the “default” domain.

1. From the Web Management Console, expand the Security folder.

2. Expand the Roles folder.

3. Select the role that you are modifying.

4. Control role membership by selecting these tabs:

   • General – provides general information about the role, including name, inherited roles, and role membership.

   • Assigned Roles – allows you to grant authorization to groups by selecting All (all users of a group are authorized members), None (no user belonging to the group is authorized), and Select (allows you to individually select groups to which you grant authorization).

   • Excluded Roles – allows you to exclude authorization to individual groups by selecting All (all users within the group are excluded), None (no group is excluded), and Select (allows you to individually select groups to exclude).

   • Excluded Users – allows you to exclude users by denying access to the users based on their user names and not the authorized groups to which they belong.

1. Right-click the Roles folder.

2. Select Refresh Node.

1. Highlight the Roles folder. You see a list of existing roles.

2. Highlight the role you want to delete.

3. Right-click the role and select Delete. This option is available only to the owner of the role or the admin user.

4. Click Yes to confirm deletion of the selected role.

1. Highlight the Roles folder. You see a list of existing roles.

2. Highlight the role you want to modify.

3. Select any of the tabs to make your modifications.

4. Make your modifications and click Apply.