Authorization Groups

A user name may belong to several authorization groups (also known as roles). Authorization groups can be configured in either the JAAS file or the flat-file.

The following are examples of users and authorization groups defined in a flat-file with the required authorization groups for running a data grid with authentication and authorization:

Admin User - A user for authenticating the tibrealmadmin, tibdg, and tibdgproxy processes which has the ftl-admin role and the tibdg-internal role. The following statement is an example:
```
admin: adminpw, tibdg-internal,ftl-admin,ftl
```
Realm Service User - A single user with roles for authenticating the primary TIBCO FTL realm and all satellite realms. This single user facilitates switching between a backup realm service and its primary realm service, or a satellite realm service and its primary realm service. The following statement is an example:
```
rs: rspw, ftl-internal,ftl-admin
```
tibdgadmind User - A user for authenticating the tibdgadmind process that requires the ftl-internal and ftl-admin roles. The following statement is an example:
```
tibdgadmind: tibdgadmindpw, ftl-internal,ftl-admin
```
tibdg User - An internal tibdg user for starting and authenticating internal grid processes like the tibdgkeeper and tibdgnode, which require the basic ftl role and the tibdg-internal role. The following statement is an example:
```
tibdguser: tibdguserpw, tibdg-internal,ftl
```
Client SQL DDL Users - Additional users as required for ActiveSpaces clients who also have permission to execute SQL DDL statements such as CREATE TABLE. See the section on Grid and Table Permissions. The following is an example:
```
user3: user3pw, tibdg-ddl,ftl
```
Client Users - Additional users as required for ActiveSpaces clients. These clients only need the basic role of ftl. The following statement is an example:
```
user1: user1pw, ftl
user2: user2pw, ftl
```

When running a disaster recovery data grid with a satellite realm service, an authorization file must include the following users as described above:

Realm Service User - use the same name and password in all authentication files used by affiliated realm services
Admin User
tibdg user

The client users listed in an authentication file can vary between primary and satellite realm services. A tibdgadmind user is only required for the primary realm service. However, it is a good practice to include a tibdgadmind user in all authentication files so that it does not have to be added later when a mirror data grid needs to become the primary data grid. For more information about disaster recovery, see Disaster Recovery.

Note: No spaces are allowed between the comma separated list of authorization groups. For example:

ftl-satellite,ftl-admin  (correct)
ftl-satellite, ftl-admin (incorrect)