Role Based Access Control in WildFly 8 (Tech Tip #12)

Role Based Access Control (RBAC) is the ability to restrict access to system or certain portions of it to authorized users. For JBoss AS 7.x or JBoss EAP 6.0 and 6.1, the web-based administrative console had an all-or-nothing approach. So if a user can authenticate with management security realm, then he’ll have all the privileges. This might be OK for smaller deployments but the roles are typically divided for mission critical deployments and a finer-grained control is required. JBoss EAP 6.2 and WildFly 8 introduces RBAC using different roles.

There are 7 different roles in 2 different categories – first 4 roles where users are locked out of sensitive data and 3 higher level roles where users are able to deal with sensitive data.

Role Permissions
Monitor Has the fewest permissions
Only read configuration and current runtime state
No access to sensitive resources or data or audit logging resources
Operator All permissions of Monitor
Can modify the runtime state, e.g. reload or shutdown the server, pause/resume JMS destination, flush database connection pool.
Does not have permission to modify persistent state.
Maintainer All permissions of Operator
Can modify the persistent state, e.g. deploy an application, setting up new data sources, add a JMS destination
Deployer All permissions of Maintainer
Permission is restricted to applications only, cannot make changes to container configuration
Administrator All permissions of Maintainer
View and modify sensitive data such as access control system
No access to administrative audit logging system
Auditor All permissions of Monitor
View and modify resources to administrative audit logging system
Cannot modify sensitive resources or data outside auditing, can read any sensitive data
Super User Has all the permissions
Equivalent to administrator in previous versions

WildFly 8 ships with two access control providers:

  • “simple”
    • any authenticated administrator has all privileges
    • consistent with AS 7
    • the default behavior (ensures compatibility with older releases)
  • “rbac”
    • users are mapped to different roles
    • new in WildFly 8

Brian Stansberry has wonderfully explained all the nitty-gritty details in three-part video.

First part shows the basics of Role Based Access Control, and show how you can use standard roles within the WildFly Administration Console.

Second part shows how to configure roles and setup users which map to roles.

Third part shows how to configure constraints which allow you to tweak the behavior of roles.

Enjoy!

Be Sociable, Share!

3 thoughts on “Role Based Access Control in WildFly 8 (Tech Tip #12)

  1. thanks 4 your java netbeans eclipse videos . but i have a suggestion . when recording screencast

    please
    keep font size bigger .
    keep number of frames per second FPS low .
    do not record entire screen .
    focus a small area in your screen .

    result.
    ultimately your video size will be small in MB .
    we can read what you are coding properly .

    i have two problem .
    poor internet .
    reading difficulty spectacle user .

    thanks again .

  2. I was suggested this website by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my trouble.
    You’re amazing! Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *