RolesAroledenes which applications and what parts of each application users can access and what
theycan do. In other words, roles determine users' authorization levels.
Forexample, in a personnel application all employees might have access to phone numbers and
emailaddresses, but only managers would have access to salary information. The application
mightdene at least two roles: employee and manager; only users in the manager role are
allowedto view salary information.
Arole is dierent from a user group in that a role denes a function in an application, while a
groupis a set of users who are related in some way. For example, in the personnel application
theremight be groups such as full-time,part-time, and on-leave, but users in all these
groupswould still be in the employee role.
Rolesare dened in application deployment descriptors. In contrast, groups are dened for an
entireserver and realm. The application developer or deployer maps roles to one or more
groupsfor each application in its deployment descriptor.
RealmsArealm,also called a security policy domain or security domain, is a scope over which the server
denesand enforces a common security policy. In practical terms, a realm is a repository where
theserver stores user and group information.
TheEnterprise Server comes precongured with three realms: file (the initial default realm),
certificate,and admin-realm. It is possible to also set up ldap,JDBC,solaris, or custom
realms.Applications can specify the realm to use in their deployment descriptor. If they do not
specifya realm, the Enterprise Server uses its default realm.
Inthe file realm, the server stores user credentials locally in a le named keyfile. You can use
theAdmin Console to manage users in the file realm.
Inthe certificate realm, the server stores user credentials in a certicate database. When
usingthe certificate realm, the server uses certicates with the HTTPS protocol to
authenticateWeb clients. For more information about certicates, see “Introduction to
Certicatesand SSL”on page 108.
Theadmin-realm is also a FileRealm and stores administrator user credentials locally in a le
namedadmin-keyfile. Use the Admin Console to manage users in this realm in the same way
youmanage users in the file realm.
Inthe ldap realm the server gets user credentials from a Lightweight Directory Access Protocol
(LDAP)server such as the Directory Server. LDAP is a protocol for enabling anyone to locate
organizations,individuals, and other resources such as les and devices in a network, whether
onthe public Internet or on a corporate intranet. Consult your LDAP server documentation for
informationon managing users and groups in the ldap realm.
UnderstandingUsers,Groups, Roles, and Realms
SunGlassFishEnterprise Ser ver2.1 Administration Guide • December 2008106