Environment

• The Operators cannot modify server configuration or access sensitive data or operations and to execute the below CLI cmd defined in kcs article[1] it needs an super user permission.

[domain@localhost:9999 /] cd /core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=system-property
[domain@localhost:9999 classification=system-property] :write-attribute(name=configured-requires-read, value=true)

• So we need to make sure that the user which is executing this CLI command is SuperUser.
• By the Maintainer/operator user if this command gets executed then the following outcome should appears :

/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=system-property:write-attribute(name=configured-requires-write, value=false)
Failed to get the list of the operation properties: "JBAS014807: Management resource '[
    ("core-service" => "management"),
    ("access" => "authorization"),
    ("constraint" => "sensitivity-classification"),
    ("type" => "core"),
    ("classification" => "system-property")
]' not found"

• The table 6.1 shows the Role Permission Matrix from documentation link [3]

Note : The access restraint is on "system-property" which means anywhere where "system-property" is used.So you can grant access but then its in everywhere.

• Question: We would like this rule to apply only to group properties. Is that possible?
  • This is not possible. It all system properties everywhere - or no system properties anywhere.

[1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Security_Guide/sect-Configuring_Constraints.html
[2] https://access.redhat.com/solutions/894433
[3] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.3/html-single/Security_Guide/index.html#About_Role-Based_Access_Control_RBAC