ACL settings for Realm users


I have created two groups, admins and viewers. Added users to these groups accordingly.
In ACl tab, removed full access for @, Everyone and viewers and have given only Access ACL and nothing else.

When i try to login to Both Enterprise Manager or Viewer with any users in the viewer group, i get Error as No Privilege for Attempted operation. User not authorised for any realm admin functions.

I get the same error from Enterprise Viewer also. How to set only view access to users.

Except Full access, i have checked all other settings and it is working. Is this correct way giving only view access?

I have learnt that, minimum access required for connecting to realm from EM is Access ACL and AdminAPI ACL.
But with these two one can delete connection factory. Apart from this one can not delete anything else.

Please correct me if i can restrict connection factory access from EM and not from EV.

by default a realm admin will have full access to all channels, including the JNDI namespace. If you want to prevent this then set the Realm property Global Values/AllowRealmAdminFullAccess to false and then deny access to Everyone in the ACL for the naming/defaultContext channel.

Hi Jonathan,

I have made this change and keep only access acl is given to everyone. If i do this, Everyone(viewer) group members are not able to login to EM or EV.

If i add Admin API to Everyone group, we are able to login to EM or EV. But from EM, enterprise manager, one can delete JNDI connection factories and also delete interface created.

Note that you will still have to enable AdminAPI access at the realm level.
The settings I provided in my previous response will then ensure that EM users will not be able to (accidentally) manage JNDI entries.

Thanks Jonathan,

What i have observed is , user is still be able to delete Interface created. I want to give only view access on all the components in the realm.

Please advise.

If you truly want read-only, then you should use Enterprise Viewer and not Enterprise Manager.
Alternatively you can use Command Central and define your user in the read-only group, if Command Central provides the visibility to the items you want.

I faced similar issue. accidently I have removed the access for Everyone and not able to access via manager and viewer. ho to reove the changes? I want to access the realm server via both.

Did you happen to resolve that? We are facing the same issue.


Yes I resolve this Issue.

Hi Mani ,

Good to know you were able to resolve the issue .

Can you please mention how did you do that ? It will help other community users in case they face similar issue.


It can be solved on following ways and I tried it.

Always backup files are available for the file realms.nst , SecurityGroups.nst in the UM folder data\RealmSpecific.
Please restore and restart the UM.

Or else you copy and use that from different environment.

If both options didn’t work. update the file SecurityGroups.nst & Realms.nst which exist in the same folder. Though these files are encryted. you can modify in few places. I have removed group names and updated to Everyone on both files. It solved the issue and UM ACL setting restored withEveryone allow options.

If you need more detailsl let me know. Happy to Help you.

Thank you
Manikandan Ganesan
Integration Consultant

1 Like

Thanks Mani .

The first option worked fine - restore realms.nst, securitygroups.nst and restarted UM. Thanks for providing the solution.