IBM Integration Bus, Version 10.0.0.0 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Tasks and authorizations for administration security

If you enable integration node administration security, users require specific permissions so that they can complete administration tasks.

The following table shows the list of actions that a user can perform, and the permissions that you must set to allow them to complete these tasks when administration security is enabled. The permissions are required regardless of how the user requests the action; from a custom integration application, the web user interface, or the IBM® Integration Toolkit.
Note: If you are using the web user interface for administration, then you must have permission to view integration node properties in addition to the permissions required for administering the integration node resources that are listed in the following table.

In addition to the permissions that are required for the tasks that are shown in the following table, permissions are also required for connecting to the integration node. For more information, see Authorizing users for administration.

Task category Tasks MQ queue-based security File-based security
WebSphere® MQ queue WebSphere MQ permission (set on setmqaut command) Object flag (set on mqsichangefileauth command) File permission (set on mqsichangefileauth command)
Integration node Set integration node properties SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
View integration node properties SYSTEM.BROKER.AUTH +INQ   read+
Configurable services Create or delete configurable services SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
Set configurable services properties SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
View configurable services properties SYSTEM.BROKER.AUTH +INQ   read+
Integration servers Create or delete integration servers SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
Rename integration servers SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
List integration servers SYSTEM.BROKER.AUTH +INQ   read+
Start or stop integration servers SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH or SYSTEM.BROKER.AUTH.EG +SET -e integration_server execute+
Set integration server properties SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
View integration server properties SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +INQ -e integration_server read+
Resource statistics Start or stop resource statistics collection SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG1 +SET -e integration_server execute+
Report resource statistics SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG2 +INQ -e integration_server read+
Message flows Deploy SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
List message flows and other deployed objects SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +INQ -e integration_server read+
Start or stop message flows SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +SET -e integration_server execute+
Delete resources from an integration server SYSTEM.BROKER.AUTH +INQ   read+
SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
Web user interface Logon to the web user interface SYSTEM.BROKER.AUTH +INQ   read+
Create, delete, or modify web users SYSTEM.BROKER.AUTH +PUT   write+
Changing a web user's password in the web user interface (supplying the old password) SYSTEM.BROKER.AUTH +INQ   read+
Record and replay View recorded data with record and replay (apart from bit stream and exception-list data) SYSTEM.BROKER.AUTH, SYSTEM.BROKER.AUTH.EG,4 and SYSTEM.BROKER.DC.AUTH +INQ -e integration_server

-o datacapture

read+
View recorded data with record and replay (bit stream or exception-list data) SYSTEM.BROKER.DC.AUTH +INQ -o datacapture read+
Replay data SYSTEM.BROKER.DC.AUTH +INQ +SET -o datacapture read+,execute+
Services View or import an MQ service from the Integration Registry SYSTEM.BROKER.AUTH +INQ   read+
Create or delete an MQ service in the Integration Registry SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
Policies View policies in the web user interface SYSTEM.BROKER.AUTH +INQ   read+
Create, update, or delete policies in the web user interface SYSTEM.BROKER.AUTH +INQ +PUT   read+,write+
Attach a policy to an integration server SYSTEM.BROKER.AUTH.EG +INQ +PUT -e integration_server read+,write+
Notes:
  1. If you are changing resource statistics collection for all integration servers on the integration node, you must grant execute authority for all integration servers.
  2. If you are reporting resource statistics collection for all integration servers on the integration node, you must grant read authority for all integration servers.
  3. In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your integration server.
  4. In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForView property that you specify in your DataCaptureStore configurable service.
  5. In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForReplay property that you specify in your DataDestination configurable service.
  6. Where no object flag is specified on the mqsichangefileauth command, the file-based permissions are set at the level of the integration node.

If you grant a user ID authority at the integration node level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for integration servers. You must explicitly grant authority to all, or to individual, integration servers.


bp43530_.htm | Last updated 2015-03-27 19:28:33