Role Based Access Control (RBAC) is the ability to restrict access to system or certain portions of it to authorized users. For JBoss AS 7.x or JBoss EAP 6.0 and 6.1, the web-based administrative console had an all-or-nothing approach. So if a user can authenticate with management security realm, then he’ll have all the privileges. This might be OK for smaller deployments but the roles are typically divided for mission critical deployments and a finer-grained control is required. JBoss EAP 6.2 and WildFly 8 introduces RBAC using different roles.
There are 7 different roles in 2 different categories – first 4 roles where users are locked out of sensitive data and 3 higher level roles where users are able to deal with sensitive data.
|Monitor||Has the fewest permissions
Only read configuration and current runtime state
No access to sensitive resources or data or audit logging resources
|Operator||All permissions of Monitor
Can modify the runtime state, e.g. reload or shutdown the server, pause/resume JMS destination, flush database connection pool.
Does not have permission to modify persistent state.
|Maintainer||All permissions of Operator
Can modify the persistent state, e.g. deploy an application, setting up new data sources, add a JMS destination
|Deployer||All permissions of Maintainer
Permission is restricted to applications only, cannot make changes to container configuration
|Administrator||All permissions of Maintainer
View and modify sensitive data such as access control system
No access to administrative audit logging system
|Auditor||All permissions of Monitor
View and modify resources to administrative audit logging system
Cannot modify sensitive resources or data outside auditing, can read any sensitive data
|Super User||Has all the permissions
Equivalent to administrator in previous versions
WildFly 8 ships with two access control providers:
- any authenticated administrator has all privileges
- consistent with AS 7
- the default behavior (ensures compatibility with older releases)
- users are mapped to different roles
- new in WildFly 8
Brian Stansberry has wonderfully explained all the nitty-gritty details in three-part video.
First part shows the basics of Role Based Access Control, and show how you can use standard roles within the WildFly Administration Console.
Second part shows how to configure roles and setup users which map to roles.
Third part shows how to configure constraints which allow you to tweak the behavior of roles.