Administrative user roles

The WAS Administration console application uses the J2EE role-based authorization concept. It has following roles


  • Monitor: Least privileged. Allows a user to view the WebSphere
    configuration and current application server state.A monitor can complete the following tasks:

    • View the WebSphere Application Server configuration.

    • View the current state of the Application Server.


  • Configurator: An individual or group that uses the configurator role has the monitor privilege plus the ability to change the WebSphere Application Server configuration. The configurator can perform all the day-to-day configuration tasks. For example, a configurator can complete the following tasks:


    • Create a resource.

    • Map an application server

    • Install and uninstall an application.

    • Deploy an application.

    • Assign users and groups-to-role mapping for applications.

    • Set up Java 2 security permissions for applications.

    • Customize the Common Secure Interoperability Version 2 (CSIv2), Secure Authentication Service (SAS), and Secure Sockets Layer (SSL) configurations..


  • Operator: Monitor privilege in addition to the ability to change runtime state, such as starting or stopping server, also check server status.

  • Deployer: Only available for wsadmin users (not administration console). Allows a user to change configuration and runtime state on applications using wsadmin.

  • Admin Security Manager: Allows a user to map users and groups to administrative roles through the administrative console, or through wsadmin for fine-grained security. Also, when fine grained administrative security is used, users granted this role can manage authorization groups

  • iscadmins: Only available for administration console users. Allows a user to manage users and groups in the Federated repositories.

  • Administrator: Operator, configurator, and iscadmins privilege, in addition to additional privileges granted solely to the administrator role, such as:

    1. Modifying the primary administrative user and password

    2. Create, update, and delete users and groups

    3. Enabling or disabling administrative and Java 2 security




The primary administrative user specified when enabling administrative security is automatically mapped to the Administrator and AdminSecurityManager roles. Therefore, it is not necessary to manually add this identity to either of these administrative roles.