IBM Integration Bus, Version 10.0.0.0 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Permissions for acting on integration nodes and resources

Permissions are required for users to act on the integration node and its resources.

The following table shows the permissions that are required for users to carry out specific tasks, depending on whether you are using queue-based or file-based administration security. If you are using any IBM® Integration Bus functions that require access to WebSphere® MQ, you must also set the required permissions for connecting to the queue manager that is specified on the integration node. For information about the permissions that are required for connecting to the queue manager, see Permissions for connecting to a queue manager.

Table 1. Permissions required for acting on an integration node and its resources
Object level Action Integration node permission MQ queue-based security File-based security
WebSphere MQ queue WebSphere MQ permission (set on setmqaut command) Object flag (set on mqsichangefileauth command) File permission (set on mqsichangefileauth command)
Integration node View read SYSTEM.BROKER.AUTH +INQ   read+
Create write SYSTEM.BROKER.AUTH +PUT   write+
Delete write SYSTEM.BROKER.AUTH +PUT   write+
Modify write SYSTEM.BROKER.AUTH +PUT   write+
Start execute SYSTEM.BROKER.AUTH +SET   execute+
Stop execute SYSTEM.BROKER.AUTH +SET   execute+
Integration server View read SYSTEM.BROKER.AUTH.EG +INQ -e integration_server read+
Create write SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
Delete write SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
Modify write SYSTEM.BROKER.AUTH.EG +PUT -e integration_server write+
Start execute SYSTEM.BROKER.AUTH.EG +SET -e integration_server execute+
Stop execute SYSTEM.BROKER.AUTH.EG +SET -e integration_server execute+
Data capture object View read SYSTEM.BROKER.DC.AUTH +INQ -r datacapture read+
Replay execute SYSTEM.BROKER.DC.AUTH +SET -r datacapture execute+

Where no object flag is specified on the mqsichangefileauth command command, the file-based permissions are set at the level of the integration node.

For information about using the mqsichangeauthmode command to specify an authorization mode, see Configuring administration security to use file-based or queue-based authorization.

If the queue-based mode of administration security (mq mode) is enabled when you create an integration node, the queue SYSTEM.BROKER.AUTH is created. Read, write, and execute permissions are granted automatically to the user group mqbrkrs on this queue. The SYSTEM.BROKER.AUTH queue is created as a local queue, and is used to define which users are authorized to perform actions on the integration node and the integration node properties.

When you create an integration server on an integration node for which you have enabled queue-based security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the integration server. Read, write, and execute permissions are automatically granted to the user group mqbrkrs on this queue.

When you use the mqsicreatebroker command to create an integration node with an associated queue manager, the SYSTEM.BROKER.DC.AUTH queue is created automatically. If you create an integration node without specifying a queue manager, you can modify the integration node afterwards to specify a queue manager and enable administration security in mq mode; however, you must also create the SYSTEM.BROKER.DC.AUTH queue. For information about creating the system queues, see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.

For more information about the creation of authorization queues, see Authorization queues for queue-based administration security.


bn28620_.htm | Last updated 2015-03-27 19:28:26