WebSphere Message Brokers
File: ap01360_
Writer: Stephanie J Strugnell

Concept topic

This build: July 31, 2007 21:34:38

Authorization to access runtime resources

Runtime resources are WebSphere Message Broker objects that exist at run time in the broker domain. Each runtime object has an Access Control List (ACL) which determines which users and groups can access the object. The ACL entries for an object can permit a user or group to view the object or view and modify the object from the workbench, the command line, or using the Configuration Manager Proxy (CMP).

ACLs allow or deny access for a user to an object but ACL entries do not secure the object; that is, the ACL entry cannot verify the user's identity.

Using ACL entries, you can control users' access to specific objects in the broker domain. For example, user JUNGLE\MPERRY might be given access to modify BROKERA, but have no access rights to BROKERB. In a further example the same user might have access to deploy to execution group EXEGRP1, but not to EXEGRP2, even though they are both members of BROKERA.

When you try to view or modify an object for which you require permission, the following information is passed to the Configuration Manager:

The Configuration Manager checks the ACL table. If your user ID is included in the ACL entry for the named object, you are authorized to perform the operation.

Refer to Related reference information below for descriptions of the tools that system administrators use to control the ACLs.

ACL entries and groups

In previous versions of WebSphere Message Broker, access to runtime objects was controlled by defining a set of groups and assigning users to those groups. ACL entries enable you to control access with more granularity than groups. ACL entries also enable a single Configuration Manager to manage development, test, and production systems separately by configuring users' access to each broker. Using groups, you would have to place the development, test, and production systems in separate broker domains, each controlled by a separate Configuration Manager.

If you migrate a Configuration Manager from a previous version of WebSphere Message Broker, ACL entries are automatically defined for the following groups:
  • mqbrkrs
  • mqbrops
  • mqbrdevt
  • mqbrasgn
  • mqbrtpic
Without these ACL entries, users that belong to these groups do not have authority to perform actions on the objects in the domain.
Related concepts
Security overview
Related tasks
Setting up broker domain security
Enabling topic-based security
Related reference
Security requirements for administrative tasks
mqsicreateaclentry command
mqsideleteaclentry command
mqsilistaclentry command
ACL permissions
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:38

ap01360_ This topic's URL is: