Authorization Groups

A user name may belong to several authorization groups (also known as roles). Authorization groups can be configured in either the JAAS file or the flat-file.

The following are examples of users and authorization groups defined in a flat-file with the required authorization groups for running a data grid with authentication and authorization:
  • Admin User - A user for authenticating the tibrealmadmin, tibdg, and tibdgproxy processes which has the ftl-admin role. The following statement is an example: 
    admin: adminpw, ftl-admin,ftl
  • Realm Service User - A single user with roles for authenticating the primary realm service, all backup realm services, and all satellite realm services. This single user facilitates switching between a backup realm service and its primary realm service, or a satellite realm service and its primary realm service. The following statement is an example: 
    rs: rspw, ftl-primary,ftl-satellite,ftl-backup,ftl-admin
  • tibdgadmind User - A user for authenticating the tibdgadmind process that requires the ftl-satellite and ftl-admin roles. The following statement is an example: 
    tibdgadmind: tibdgadmindpw, ftl-satellite,ftl-admin
  • tibdg User - A user for authenticating the tibdgkeeper and tibdgnode processes which just require the basic ftl role. The following statement is an example: 
    tibdguser: tibdguserpw, ftl
  • Client Users - Additional users as required for ActiveSpaces clients. These clients only need the basic role of ftl. The following statement is an example: 
    user1: user1pw, ftl
	user2: user2pw, ftl
When running a disaster recovery data grid with a satellite realm service, an authorization file must include the following users as described above:
  • Realm Service User - use the same name and password in all authentication files used by affiliated realm services
  • Admin User
  • tibdg user
The client users listed in an authentication file can vary between primary and satellite realm services. A tibdgadmind user is only required for the primary realm service. However, it is good practice to include a tibdgadmind user in all authentication files so it does not have to be added later when a mirror data grid needs to become the primary data grid. For more information on disaster recovery, see Disaster Recovery.
Note: No spaces are allowed between the comma separated list of authorization groups. For example: 
ftl-satellite,ftl-admin  (correct)
ftl-satellite, ftl-admin (incorrect)
Attention: As of TIBCO FTL 6.0, the authorization groups ftl-primary, ftl-satellite, ftl-backup and ftl-dr are obsolete. For each of these groups use ftl-internal instead.
Related concepts
Related tasks