It's all about the answers!

Ask a question

IBM i , WAS 7.0 ; Local System User -"You are using a directory service that is not writable. User roles cannot be modified"

Sasikumar Manickam (1035) | asked Apr 05 '14, 11:16 p.m.
Hi - 
We are exploring Jazz 4.0 on IBM i, V6R1 and WAS 7.0
1- In WAS, Application level security ( CCM.war , qm.war, and jts.war) enabled and "JazzUsers" mapped to system some of our user's ID.
2- Jazz Admin page, I have created user IDs (same as OS profile ID ) with email address & name. I can assign "Rational Team Concert - Developer for IBM Enterprise Platforms" and  "Rational Team Concert - Developer" etc client Access Licenses. But I am not able give repository permissions. A notice displayed "You are using a directory service that is not writeable. User roles cannot be modified"
Users unable to login to project invitation url like "https://dev_ibmi:9443/ccm/web/projects/testproejct
Idea is to give my developers access to Jazz using IBMi user profile and accept invitations and work on the project.


6 answers

permanent link
Lily Wang (4.9k714) | answered Apr 06 '14, 10:49 p.m.
Hi Sasikumar,
If you are using WAS as the application server, the user's repository permission is not controlled in JTS. From your description, you are using OS users and groups management in WAS. Then you need to add the user into the OS level group which you used to may to JazzUsers group in WAS application level security.
You can refer to the following links about the user management with WAS:

permanent link
Andreas Nicoladoni (19612523) | answered Apr 07 '14, 2:38 a.m.

Hi Saskiumar,

we are using RTC since version 2 on our IBM-i.

We have taken the following steps the enrol users to RTC.

We enabled security in WAS with the usergroup JAZZUSER mapped to i-series user JAZZUSER

On system-i each user we want to include to the RTC-User group has in the additional groupprofile the profile jazzuser.

This soulution works for us.

Sasikumar Manickam commented Apr 07 '14, 7:17 p.m.

 I am still not able to get through this..

1- In WAS, what would be the value in User account repository under  global security?
2- Do we need to add user profiles at the application level? Jts.war, ccc.war etc.
3- Do we need to make any configuration change in WAS - Under Users and Groups -> Manage User and Manage groups?

All we want is ability to login to RTC with IBM i user IDs.

permanent link
Andreas Nicoladoni (19612523) | answered Apr 08 '14, 1:50 a.m.

Hi Saskiumar,

to 1 the value must be local system and realname ist the name of your i-series

to 2 you have to apply security roles for user and groups for each apllication.

to 3 there is no need to configure anything.

With this configuration you should be able to login to RTC with i-Series users if the i-Series have a groupprofile like JAZZUSER

I hope this help you to login to RTC with i-series User


Sasikumar Manickam commented Apr 08 '14, 3:56 a.m.

We are able to login using IBM i profile (PGMR)... but whenever we log-in using a regular this profile (JAZZUSER group profile), https://dev_ibmi:9443/ccm/admin shows "ADMIN" name on top right corner. The "view my profile license " shows as JazzAdmins, DWAdmin and Jazzuser.. but this regular user profile znd it should have only "jazzuser" authority, and it shouldn't allow to create jazz local users and other Admin functions.

(unable to upload screenshot..)

permanent link
Andreas Nicoladoni (19612523) | answered Apr 08 '14, 4:05 a.m.


I think there are configurations missing in global security.

Have you set the application security and administration security? I think these two must be set to resolve the problem

Sasikumar Manickam commented Apr 08 '14, 4:23 p.m.

please see below.. 

permanent link
Sasikumar Manickam (1035) | answered Apr 08 '14, 4:23 p.m.
edited Apr 08 '14, 6:24 p.m.
My setting i as below:
  •  Enable administrative security  - Checked
  •  Enable application security -Checked 
  • Java 2 security - unchecked
  • User account repository - Local operating system
    •   General Properties
    • Primary administrative user name : MYPROFILE
    • Automatically generated server identity selected
  • LTPA
  • Use realm-qualified user names -Checked
- Application security

Enterprise Applications > ccm.war > Security role to user/group mapping

Select Role Special subjects Mapped users Mapped groups
JazzAdmins None SMANI
JazzDWAdmins None SMANI
JazzUsers None SMANI
JazzGuests None SMANI
JazzProjectAdmins None SMANI
Similar for all other apps.
I need SMANTEMP profile as just user; not ADMIN. it belongs to QPGMR group

Appreciate your help..

permanent link
Andreas Nicoladoni (19612523) | answered Apr 09 '14, 2:17 a.m.


in our configuration we have no mapped users, we only configure mapped groups with JAZZ* user profiles like you have for jazzguests. On System-i the jazzusers is passed as group profile for each developer. Our developer profiles have userclass *PGMR.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.