Configure access control lists (ACLs) to control access to runtime resources.
When you have created the runtime resources (for example, the brokers and execution groups) and secured the transport connection, you need to configure access control lists (ACLs) to control which objects can be accessed by which user IDs. Default access, which you have until you have configured the ACLs, is Full control access for the Configuration Manager service ID only.
To configure your ACLs:
The following diagram shows an example hierarchy of access control list entries:
The following examples show how this hierarchy works in practice.
Example 1
UserA has no access control entries. Therefore, UserA cannot manipulate any objects in the hierarchy, or see any of the objects defined in it.
Example 2
UserB has an ACL entry that gives Deploy authority to the execution group Eg1A. This entry gives UserB implied View authority to PubSubTopology and Broker1. UserB must be able to view PubSubTopology and Broker1 (for example, in the Message Brokers Toolkit) to be able to deploy to Eg1A.
Because UserB does not have any ACL entries for PubSubTopology or Broker1, UserB does not inherit access to the other broker or execution groups in the hierarchy. In practice, this means that UserB can see that there is another execution group defined on the broker Broker1 but cannot see any details (including the name of the execution group). Similarly, UserB can see that another broker exists within the topology, but cannot see any details. UserB has no access to RootTopic or to Subscriptions (the subscriptions table).
mqsicreateaclentry testcm -u UserB -a -x D -b Broker1 -e Eg1AThe mqsilistaclentry command then displays the following information:
BIP1778I: userb -USER - D - Broker1/Eg1A - ExecutionGroup
Example 3
CMP View
RootTopic View
Subs View
Topology View
Broker1 Full
Eg1A Full
Eg1B Full
Broker2 View
Eg2A View
Eg2B View
mqsicreateaclentry testcm -u UserC -a -x V -p mqsicreateaclentry testcm -u UserC -a -x F -b Broker1The mqsilistaclentry command then displays the following information:
BIP1778I: userc - USER - V - ConfigManagerProxy - ConfigManagerProxy BIP1778I: userc - USER - F - Broker1 - Broker
Example 4
CMP Full
RootTopic Full
Subs Full
Topology Full
Broker1 View
Eg1A View
Eg1B View
Broker2 Full
Eg2A Full
Eg2B Full
mqsicreateaclentry testcm -u UserD -a -x F -p mqsicreateaclentry testcm -u UserD -a -x V -b Broker1The mqsilistaclentry command then displays the following information:
BIP1778I: userd - USER - F - ConfigManagerProxy - ConfigManagerProxy BIP1778I: userd - USER - V - Broker1 - BrokerThe following command can then delete the ACL entries for UserD:
mqsideleteaclentry testcm -u UserD -a -b Broker1