IBM Integration Bus, Version 10.0.0.1 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


mqsichangefileauth command

Use the mqsichangefileauth command to authorize users to complete specific tasks against an integration node and its resources.

Supported platforms

Purpose

Use the mqsichangefileauth command to grant and revoke administration authority by setting file-based permissions for specified roles. Administrators can control the access that web users have to integration node resources, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view integration node resources, while allowing users with another role to modify them. For more information about roles, see Role-based security.

You can use the mqsichangefileauth command only if the file-based mode of administration security has been specified for the integration node. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default for the integration node. Use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect. For information about specifying the administration security mode, see Configuring administration security to use file-based or queue-based authorization.

Three levels of authorization are supported for IBM® Integration Bus administration security: read, write, and execute. These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
  • Data capture objects (record-replay)

Syntax

Read syntax diagramSkip visual syntax diagram
>>-mqsichangefileauth--integrationNodeName-- -r --role---------->

>--+-----------------------------+-- -p --permissions----------><
   +- -e --integrationServerName-+                      
   '- -o --object----------------'                      

Parameters

integrationNodeName
(Required) The name of the integration node to which the security permissions will apply.

 

-r role
(Required) The role for which the permissions are to be set.

 

-e integrationServerName
(Optional) Specifies an integration server to which the security permissions will apply. If you specify this parameter, you cannot specify an object (resource) using the -o parameter.

 

-o object
(Optional) Specifies the object (resource) name for which the security settings will be set. The valid value for this command is datacapture. If you specify this parameter, you cannot specify a server name using the -e parameter.

 

-p permissions
(Required) Specifies the permissions that are set for the specified role:
  • integrationNodeName
  • integrationNodeName.integrationServerName
  • integrationNodeName.object
The following values are valid for this command:
  • read+/-
  • write+/-
  • execute+/-
  • all+/-

The permissions are specified as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.

 

Responses

In addition to standard command responses, the following responses are returned by this command.
  • BIP8060 The mqsichangefileauth command changes the security permissions for a specified resource
  • BIP8061 The supplied resource is not valid as a resource specifier

Authorization

For information about platform-specific authorizations, see the following topics: If you have enabled integration node administration security, you must also set up the authority that is detailed in Tasks and authorizations for administration security.

Examples

Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.

In the following example, the role iibAdmins is granted execute and read permission on IB10NODE.default (the default integration server on the IB10NODE integration node). If this role did not previously exist, the write permission is disabled. If this role previously existed, the write permission is unchanged from its previous setting.
mqsichangefileauth IB10NODE -r iibAdmins -e default -p read+execute+
In the following example, the role iibAdmins is granted read, execute, and write permission on the datacapture object of the IB10NODE integration node:
mqsichangefileauth IB10NODE -r iibAdmins -o datacapture -p all+
In the following example, the role iibAdmins is granted read, execute, and write permission for all resources in the IB10NODE integration node:
mqsichangefileauth IB10NODE -r iibAdmins -p all+

bn28610_.htm | Last updated 2015-05-28 20:52:54