IBM Integration Bus, Version 10.0.0.5 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS


Role-based security

You can control access to integration node resources through the web user interface and REST application programming interface (API), by associating web users with roles.

A role is defined by a set of security permissions that control users' access to an integration node and its resources.

As an integration administrator, you can control the access that web users have to integration node resources, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions, by enabling or disabling aspects of the web or REST interface, or by configuring the web user interface to display only the options for which users are authorized. For example, you might allow users with one role to view integration node resources, while allowing users with another role to modify them.

You can grant the same permissions to multiple users by assigning them to the same role, but each user can be assigned to only one role.

For commands that are run locally, and for a locally connected Toolkit, the system user ID that is running the command or the Toolkit is passed to the integration node, where it is used as the role name.

If an integration node is configured to use file-based authorization (file mode), you grant permissions to a role by using the -r role parameter of the mqsichangefileauth command. If no permissions are granted to a role, a check is conducted to see if the role name matches a system user ID name; if that system user ID is a member of the mqbrkrs group, permission is granted for all actions on all objects. For more information about file-based authorization, see Setting file-based permissions.

If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.

You can create web user accounts and assign them to the appropriate roles by using the mqsiwebuseradmin command. For more information, see Managing web user accounts and Controlling access to data and resources in the web user interface.


bn28480_.htm | Last updated 2016-06-25 08:09:01