It's all about the answers!

Ask a question

QM You are using a directory service that is not writable. User roles cannot be modified.

Mingzuo Shen (13158) | asked Nov 06 '13, 5:09 p.m.
edited Nov 07 '13, 10:05 a.m. by Max Bridges (24126)

Newbie question please?

I have RQM 4.0.3 on Windows.
During setup (jts/setup), I chose "Non-LDAP external registry".
Somehow I created a user in QM (mshen)
with the desired Repository Permissions:
JazzAdmins checked
JazzDWAdmins checked
JazzGuests checked
JazzUsers checked
JazzProjectAdmins checked
Now I need to create more users with all the Jazz*
permissions or some of them.
Now I create users in WebSphere.
I then create users in JTS.
But in JTS I see:
Notice: You are using a directory service that is not writable. User
roles cannot be modified.

Please help - how do I modify user roles in QM now?
Seems I need to link a user in QM to a user in WebSphere?

Accepted answer

permanent link
Sunil Kumar R (1.1k12143) | answered Nov 07 '13, 3:32 a.m.
edited Nov 07 '13, 3:33 a.m.
Hello Mingzuo, When during setup you choose "Non-LDAP external registry" as the user registry type. Automatically, CLM will look for users on other than Tomcat / LDAP.

So further to this, you need to configure WAS with federated realm as detailed in article # 97

Once the above is done, you can modify the user settings in WAS which is automatically refreshed and picked by Jazz Applications using it.. So you need no to import these users into JTS. i.e., you would modify the users in WAS federated repository..

Do let me know if you have any further questions..

Best Regards
Ralph Schoon selected this answer as the correct answer

Mingzuo Shen commented Nov 07 '13, 3:09 p.m.

Thanks. The graphics on article #97 are too small,
and the article appears to be too old anyway.
My WAS is 8.5 and QM is 4.0.3.
My problem seems to be, group membership of users in WAS
are not picked up by JTS.
For example, testuser001 is in the JazzAdmins group in WAS,
how do I make testuser001 to have JazzAdmins role in JTS?

Ralph Schoon commented Nov 08 '13, 1:50 a.m.

Regardless how old the article is, the mechanism did not change. You have to do the user/group mapping in WAS first, then associate the roles to repository roles, in the security settings. You have to do that for your initial admin user you create during setup, before the setup. You might be able to get away with doing it after the setup, though.

2 other answers

permanent link
Ralph Schoon (57.0k23642) | answered Nov 07 '13, 3:17 a.m.
edited Nov 07 '13, 3:18 a.m.
With WAS, you have either the option to use LDAP, in which case you have to create LDAP users with the repository roles in LDAP or you can use the WAS user registry, where you have to manage the users first and can use them in CLM later. This is explained here: and might provide you with more hints.

I would suggest to use LDAP. There are free LDAP systems available. I think we show how that works in and we show using Windows Active directory here: .

Mingzuo Shen commented Nov 07 '13, 10:02 a.m.

Thanks, but at this point I would rather not get into LDAP.
"File-based", that sounds simple and promising.
As I said, I somehow already have a user with the desired roles.
If it is file based, where is the file?
Presumably, that file has my one correct user.
Maybe I can edit that file,
copying my one correct user to create additional users?

Ralph Schoon commented Nov 07 '13, 10:23 a.m. | edited Nov 07 '13, 10:23 a.m.

It is managed within WebSpehere Application Server. I am not sure there is a file you can work with. You have to create the users within the WebSphere administration console and map the users to their repository roles.

This works well for a few users, but I don't think it scales to a lot of users. At some point LDAP is way easier to maintain.

Mingzuo Shen commented Nov 07 '13, 2:54 p.m.

For now we plan to have at most a few users in QM.
I believe my problem at the moment is to edit the roles.
Please take a look at the following screen shots.
The user "mshen" was created during JTS setup, and it has JazzAdmins role.
Now, in WAS I create the JazzAdmins group,
create user testuser001 and put testuser001 in JazzAdmins.
If only I can make testuser001 to have JazzAdmins role in JTS.

Ralph Schoon commented Nov 08 '13, 1:47 a.m. | edited Nov 08 '13, 1:48 a.m.

As far as I recall, you have to create the user e.g. mshen in the WAS registry and associate him to the JazzAdmin Group before you even run the setup. You have to map the user to the group and the group to the repository roles in Jazz. Please look at Some of the labs the deployment of an application and mapping the groups to the repository roles.

Once you do that, the check marks appear in Jazz. You can not check the repository roles, as they are granted by setting up the mapping in the WAS registry.

permanent link
Mingzuo Shen (13158) | answered Nov 09 '13, 8:41 p.m.

Thanks to Sunil and Ralph, seems I am ok now.
I am still using the "file-based realm", no LDAP at this point.
In QM when I am logged in as user "x", its own
repository permissions are checked, any other
users' repository permissions are shown as not-checked.
Seems I have to assign each user to all 5 groups
This seems progress!

Your answer

Register or to post your answer.