Question to anyone, is there a way to setup a view-only account on webMethods (3.6) B2B Integration Server admin http page?
It’s possible to create a view-only account by subdividing the administrative responsibilities. What you do is create a new group (call it ROAdmins, for example) and an ACL that includes both ROAdmins and Administrators. Associate this ACL with the services used to see configuration data, but not modify the configuration data. When you do this, the new ACL will replace the Administrators ACL on the read-only services. Create one or more users who are members of the ROAdmins group. They’ll now be able to see things, but not change things. Members of the Administrators group will still have access to everything.
A somewhat more detailed description and example can be found in the Security Tech Note “Dividing Administrative Responsibilities in webMethods B2B” available on Advantage in Bookshelf → Product Security Information. [Although the title says “B2B”, this is applicable for B2B 3.x, B2B 4.x, and Integration Server 4.x.]
A note of caution: it’s easy to hurt things if you make a mistake, so be sure to back up all of your configuration files before you start!
For that matter, is it possible in 4.6 version or not??
I mean, a way to setup a view-only account on
webMethods (4.6) B2B Integration Server admin http page?
If it is possible, that would be great !! (as we frequently run into problems of giving access to our production server to all)
In fact, i suggest that we put this request on the Wish-List forum.
Thanks a lot !!
Had a question :
you said : “Associate this ACL with the services used to see configuration data, but not modify the configuration data. When you do this, the new ACL will replace the Administrators ACL on the read-only services.”
which is perfectly valid answer but i think tredious to implement.
As I think to find “all” webMethods internal services used to edit/change the data will be time consuming, and also as and when webMethods comes with newer versions, we need to update that list.
Is there no other solution? Should be not ask webMethods to implement this cool feature in their B2B products??
Yes, it is tedious to do this, because you’ll have to figure out exactly which services need to have the new ROAdmins ACL and which ones should keep the existing Administrators ACL. The ways to figure that out are either by trial and error (e.g., move something that you suspect is needed and see what works) or by reading the usage logs to see what services are invoked when you perform particular tasks.
BTW, I forgot to say in my earlier posting but you’d have to do the same thing with the ACLs on the DSPs, so that ROAdmins have access to the services they need. And any services used by the DSPs intended for the read-only administrators need to have the ROAdmins ACL also.
I’m not claiming this is easy… just that it can be done if it’s important to you.
Yes, this can be done in 4.6 using the same technique. Putting an out-of-the-box capability on the wish list would be a good idea. However, the hard part is figuring out what to include out-of-the-box. One organization might want the read-only capability as discussed in this thread, while another organization might want to subdivide the Administrator into parts like password administrator, port administrator, account administrator, etc. It might be worth thinking about a reasonable division before you wish for it…
I’ll point out that the exact same problem exists in UNIX operating systems… it’s theoretically possible to subdivide root so you have on administrator who can add users, another who can add printers, a third who can change passwords, etc., but it’s rarely done in practice, at least not without third party products.
“Putting an out-of-the-box capability on the wish list would be a good idea”. Did this ever go into the Wish List?. We should have “View Only” Admin access. This is really required for Support Teams who are supporting the Live systems. Configuration capability is requried for people building & deploying the system. Sub-Dividing is different than View Only access.
Professional services folks can do such customization for you.