Granting Deployer role access to datasources in EAP management console

Solution Verified - Updated 5 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 6.2
- 6.3
- 6.4
- 7
RBAC enabled in JBoss EAP

Issue

Deployer role has no permissions to add datasource
How can I enable the "Test Connection" button in order to test a datasource connection from JBoss EAP Admin Console for a Deployer role ?

Added "configured-application" to data-source classification and the management console still do not allow modification of datasources for Deployer role

  cd /core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source
  :write-attribute(name=configured-application, value=true)

Resolution

To provide access to create, modify, and test connection datasources for the Deployer role, add Application Resource Constraints to both the xa-data-source and data-source classifications. For example:

/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=data-source:write-attribute(name=configured-application,value=true)
/core-service=management/access=authorization/constraint=application-classification/type=datasources/classification=xa-data-source:write-attribute(name=configured-application,value=true)

To be able to set username/password or security-domain, enable write access explicitly:

EAP 6

/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-read,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-write,value=false)

EAP 7

/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-read,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=credential:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref/:write-attribute(name=configured-requires-addressable,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-read,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=core/classification=security-domain-ref:write-attribute(name=configured-requires-write,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-read,value=false)
/core-service=management/access=authorization/constraint=sensitivity-classification/type=datasources/classification=data-source-security:write-attribute(name=configured-requires-write,value=false)

Note: This will allow write permissions to password, not just to datasource, but also resource-adapters, messaging, etc.

SBR

JBoss Security

Product(s)

Red Hat JBoss Enterprise Application Platform

Category

Secure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.