Roles
Aroledenes which applications and what parts of each application users can access and what
theycan do. In other words, roles determine users' authorization levels.
Forexample, in a personnel application all employees might have access to phone numbers and
emailaddresses, but only managers would have access to salary information. The application
mightdene at least two roles: employee and manager; only users in the manager role are
allowedto view salary information.
Arole is dierent from a user group in that a role denes a function in an application, while a
groupis a set of users who are related in some way. For example, in the personnel application
theremight be groups such as full-time,part-time, and on-leave, but users in all these
groupswould still be in the employee role.
Rolesare dened in application deployment descriptors. In contrast, groups are dened for an
entireserver and realm. The application developer or deployer maps roles to one or more
groupsfor each application in its deployment descriptor.
Realms
Arealm,also called a security policy domain or security domain, is a scope over which the server
denesand enforces a common security policy. In practical terms, a realm is a repository where
theserver stores user and group information.
TheEnterprise Server comes precongured with three realms: file (the initial default realm),
certificate,and admin-realm. It is possible to also set up ldap,JDBC,solaris, or custom
realms.Applications can specify the realm to use in their deployment descriptor. If they do not
specifya realm, the Enterprise Server uses its default realm.
Inthe file realm, the server stores user credentials locally in a le named keyfile. You can use
theAdmin Console to manage users in the file realm.
Inthe certificate realm, the server stores user credentials in a certicate database. When
usingthe certificate realm, the server uses certicates with the HTTPS protocol to
authenticateWeb clients. For more information about certicates, see “Introduction to
Certicatesand SSL”on page 108.
Theadmin-realm is also a FileRealm and stores administrator user credentials locally in a le
namedadmin-keyfile. Use the Admin Console to manage users in this realm in the same way
youmanage users in the file realm.
Inthe ldap realm the server gets user credentials from a Lightweight Directory Access Protocol
(LDAP)server such as the Directory Server. LDAP is a protocol for enabling anyone to locate
organizations,individuals, and other resources such as les and devices in a network, whether
onthe public Internet or on a corporate intranet. Consult your LDAP server documentation for
informationon managing users and groups in the ldap realm.
UnderstandingUsers,Groups, Roles, and Realms
SunGlassFishEnterprise Ser ver2.1 Administration Guide • December 2008106