Friday, May 1, 2009

Application Groups in WebSphere Member Manager

The main reason for using Application Groups is for read-only LDAP repositories. Many corporate directory systems do not allow application systems to add application-specific groups. To have better access control, however, Portal administrators may have to create these specific groups. IBM® WebSphere® Member Manager (WMM) provides a convenient way to set these groups in its database tables.

This technote contains some commonly asked questions and answers regarding Application Groups.

Resolving the problem

1. Where are Application Groups stored?
WMM stores the group information in database tables:
-- WMMDBMBR stores the group names.
-- WMMGRPMBR stores the name of the group members for Application Groups.
-- WMMMBR adds an entry for users or groups registered through the Portal no matter if they were added to the LDAP or Application Groups.
-- An entry is added to USER_DESC for every group.

2. Is "LookAside" required for this configuration?
No, LookAside and Application Groups are independent of each other. LookAside is used only in the Portal environment and is used for storing user attributes which are not standard LDAP server object classes. Application Groups reside in different sets of WMM tables and are used for creating Portal-specific groups.

3. Is there any performance benchmark for Application Groups?
No, there are no benchmark tests for the performance of Application Groups.

4. Do Application Groups support nested groups? For example, User A is in Group C which in turn is in Group F.
Yes. You can use nested groups as well as LDAP groups within Application Groups. However, in general, the use of nested groups is discouraged for performance reasons.

5. Is "groupCache" still supported when Application Groups are configured?
Yes, the "groupCache" configuration in WMM is for LDAP repository only. There is no conflict between "groupCache" and Application Groups, but Application Groups are not cached.

6. Can you change the suffix of Application Groups from "o=default organization" to something similar to ""?
No. However, you can use node maps. For example, 'o=default organization' is the default root organization of the database. If you want to change the name in the database, you must modify the schema/bootstrap file which is not supported. But you can map it to others in wmm.xml and then use something similar to '' in the application. For example, between
... ,
you can add

7. Are there differences between realm support (WMMUR) and non-realm support (non-WMMUR) configurations with regards to Application Groups?
No. There is no difference for Application Groups regarding realm.

8. When configuring the group search filter, what group ObjectClass will be used for Application Groups?
Example: "groupOfNames," "groupOfUniqueNames," or something else?
Application Groups is stored in the database and ObjectClass is for LDAP only. You do not have to specify ObjectClass for Application Groups.

9. Can you still use groups in the LDAP server after configuring Application Groups?
After configuring Application Groups, both LDAP and database will be searched during group membership search. The Portal administrators group (wpsadmins) and all groups in LDAP will be searched and all the groups within the search base and search filter defined in LDAP repository stanza of wmm.xml, will be found correctly.

10. Is there a mechanism in WMM to prevent naming conflicts? Can you have groups of the same names within the LDAP and Application Groups?
Since the configuration for LDAP and Application Groups is in separate naming spaces, groups in LDAP and Application Groups are not in the same parent so there would be no conflict. However, a naming convention is recommended in practice for easy identification.
Example: Make all groups prefixed with "ag_," such as "ag_Managers."

11. What would the impact be should you decide to remove the Application Groups? Will the system stop working?
All the group membership information would be lost for Application Groups. The impact depends on how Portal Access Control (PAC) is configured. The recommendation is that before taking Application Groups away, you should create corresponding groups in LDAP to reflect all the configurations associated with Application Groups. A full XMLAccess export should give a complete picture of the ACLs.

12. Can Application Groups be used for admin groups in virtual portals?
Yes. Application Groups can be used just like other groups that participate in a multi-realm configuration. Therefore, the groups in Application Groups can be configured as admin groups in virtual portals.

13. Can you use Application Groups with External Security Managers (ESM), such as Tivoli® Access Manager?
No. The ESM must share an LDAP User profile repository with WebSphere Application and Portal servers. Application Groups are known only to the Portal.

14. Where can you find more information about Application Groups?
For more information, refer to the topic, "Enabling Application Groups", in the WebSphere Portal Information Center for V6.0 or the WebSphere Portal Information Center for V5.1.