11.8.2. Enabling Role-Based Access Control

By default the Role-Based Access Control (RABC) system is disabled. It is enabled by changing the provider attribute from simple to rbac. This can be done using the jboss-cli.sh tool or by editing the server configuration XML file if the server is off-line. When RBAC is disabled or enabled on a running server, the server configuration must be reloaded before it takes effect.
Once enabled it can only be disabled by a user of the Administrator or SuperUser roles. By default the jboss-cli.sh runs as the SuperUser role if it is run on the same machine as the server.

Procedure 11.1. Enabling RBAC

  • To enable RBAC with jboss-cli.sh use the write-attribute operation of the access authorization resource to set the provider attribute to rbac. 
    /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
    [standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=rbac)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]

Procedure 11.2. Disabling RBAC

  • To disable RBAC with jboss-cli.sh use the write-attribute operation of the access authorization resource to set the provider attribute to simple. 
    /core-service=management/access=authorization:write-attribute(name=provider, value=simple)
    [standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=provider, value=simple)
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}
[standalone@localhost:9999 /] /:reload
{
    "outcome" => "success",
    "result" => undefined
}
[standalone@localhost:9999 /]
If the server is off-line the XML configuration can be edited to enabled or disable RBAC. To do this, edit the provider attribute of the access-control element of the management element. Set the value to rbac to enable, and simple to disable. 
<management>

        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="$local"/>
                    </include>
                </role>
            </role-mapping>
        </access-control>

    </management>
Report a bug