Messaging security uses role-based authorization. When a user is
assigned to a role, the user is granted all of the permissions that the role
contains. By administering authorization permissions, you can control user
access to a bus and its resources when messaging security is switched on.
When a bus is created, an initial set of default authorization permissions
is created that allows all authenticated users to connect to the bus, and
grants them full access to all local destinations on the bus. You can change
the default authorization permissions to restrict access to a local bus to
a specific set of users. Note that by default, when security is enabled, users
to do not have access to a foreign bus. You need to explicitly add a specific
user to the foreign bus access list. For details of the task, see
Adding users and groups to foreign bus roles.
You
can make changes to authorization permissions when messaging security is enabled
or disabled. Any changes that you make when security is disabled will not
have any effect until security is enabled, as described in Enabling and disabling messaging security.
The following syntax is used for the commands.
For details of the command properties, see the topics listed below.
- variable
- A variable, for which you type a value. The commands use the following
variables
- destinationType
- busName
- foreignBusName
- destinationName
- topicSpaceName
- topicName
- roleName
- userName
- groupName
.
- <true|false>
- A choice of options, from which you type one value (that is, either true
or false).
To configure permissions, complete the following steps
using the wsadmin tool:
- Open a wsadmin command session.
- Type the required command.
Use the commands in the topics listed below to configure the authorization
permissions for a bus to meet your security requirements.