I have been tasked to setup a WebSphere as a service . This install will house many different customer's applications. The customer's will need to logon to the deployment manager so I will need to setup different roles for each logon. I do not want one customer to stop, start and change configurations for another customer's servers. Can you point me to best practices document for "WebSphere as a service ". ?

Fine-grained access control to the console is a good start, but here are a few more considerations.

Does it need to run on the same infrastructure? At the company where I work we offer something similar, but resources are never shared between customers. Try to avoid sharing JVMs, nodes, cells, and servers/virtual machines, in that order. 

If you share JVMs, a bug on one customer's application might bring another customer's systems. If you use the same nodes and cell, you would need to be careful to only allow customers to make changes to things at the application server level, otherwise a namespace binding or datasource could be used by a client who is not the owner of the resource.

I can think of a few more things to consider (especially if you intend to share physical servers or virtual machines) such as using different runAs users, Java 2 security policies, isolated filesystems per app or client, and so on.

Martin, thank you for that info. We will on your advice plan on sharing in the order you selected. We also want to hook this up to a Windows domain controller and control access the the dmgr based on groups and roles.

thank you