11.9. Managing Roles

11.9.1. About Role Membership

When Role-Based Access Control (RBAC) is enabled, what a management user is permitted to do is determined by the roles that the user is assigned to. JBoss EAP 6.2 uses a system of includes and excludes based on both the user and group membership to determine what role a user belongs to.

A user is considered to be assigned to a role if:
  1. The user is:
    • listed as a user to be included in the role, or
    • a member of a group that is listed to be included in the role.
  2. The user is not:
    • listed as a user to exclude from the role, or
    • a member of a group that is listed to be excluded from the role.

Exclusions take priority over inclusions.

Role include and exclude settings for users and groups can be configured using both the Management Console and the jboss-cli.sh tool.

Only users of the SuperUser or Administrator roles can perform this configuration.