Authorization to access runtime resources

Start of changeRuntime resources are WebSphere Event Broker objects that exist at run time in the broker domain. Each runtime object has an Access Control List (ACL) which determines which users and groups can access the object. The ACL entries for an object can permit a user or group to view the object or view and modify the object from the workbench, the command line, or using the Configuration Manager Proxy (CMP).End of change

Start of changeACLs allow or deny access for a user to an object but ACL entries do not secure the object; that is, the ACL entry cannot verify the user's identity.End of change

Start of changeUsing ACL entries, you can control users' access to specific objects in the broker domain. For example, user JUNGLE\MPERRY might be given access to modify BROKERA, but have no access rights to BROKERB. In a further example the same user might have access to deploy to execution group EXEGRP1, but not to EXEGRP2, even though they are both members of BROKERA.End of change

Start of changeWhen you try to view or modify an object for which you require permission, the following information is passed to the Configuration Manager: End of change

The Configuration Manager checks the ACL table. If your user ID is included in the ACL entry for the named object, you are authorized to perform the operation.

Refer to Related reference information below for descriptions of the tools that system administrators use to control the ACLs.

Start of change

ACL entries and groups

In previous versions of WebSphere Event Broker, access to runtime objects was controlled by defining a set of groups and assigning users to those groups. ACL entries enable you to control access with more granularity than groups. ACL entries also enable a single Configuration Manager to manage development, test, and production systems separately by configuring users' access to each broker. Using groups, you would have to place the development, test, and production systems in separate broker domains, each controlled by a separate Configuration Manager.

If you migrate a Configuration Manager from a previous version of WebSphere Event Broker, ACL entries are automatically defined for the following groups:
  • mqbrkrs
  • mqbrops
  • mqbrdevt
  • mqbrasgn
  • mqbrtpic
Without these ACL entries, users that belong to these groups do not have authority to perform actions on the objects in the domain.
End of change
Related concepts
Security overview
Related tasks
Setting up broker domain security
Enabling topic-based security
Related reference
Security requirements for administrative tasks
mqsicreateaclentry command
mqsideleteaclentry command
mqsilistaclentry command
ACL permissions