Chapter 6. Secure the Management Interfaces with Role-Based Access Control

6.1. About Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) is a mechanism for specifying a set of permissions for management users. It allows multiple users to share responsibility for managing JBoss EAP 6 servers without each of them requiring unrestricted access. By providing "separation of duties" for management users, JBoss EAP 6 makes it easy for an organization to spread responsibility between individuals or groups without granting unnecessary privileges. This ensures the maximum possible security of your servers and data while still providing flexibility for configuration, deployment, and management.

Role-Based Access Control in JBoss EAP 6 works through a combination of role permissions and constraints.

Seven predefined roles are provided that each have different fixed permissions. The predefined roles are: Monitor, Operator, Maintainer, Deployer, Auditor, Administrator, and SuperUser. Each management user is assigned one or more roles, which specify what the user is permitted to do when managing the server.

Important

Before changing the provider to rbac, be sure your configuration has a user who will be mapped to one of the RBAC roles, preferably with at least one in the Administrator or SuperUser role. Otherwise your installation will not be manageable unless it is shut down and the XML configuration is edited.
If you have started with one of the standard XML configurations shipped with JBoss EAP 6, the $local user will be mapped to the SuperUser role and the local authentication scheme will be enabled. This will allow a user running the CLI on the same system as the JBoss EAP 6 process to have full administrative permissions. Remote CLI users and web-based admin console users will have no permissions.
Map at least one user other than $local before switching the provider to rbac.
Report a bug