Security in a Windows domain environment

An example that uses a Windows domain group topology to run IBM® Integration Bus in a Windows domain environment.

About this task

You can use Windows domain groups to organize different levels of authorization to selective IBM Integration Bus resources across your domain. To design and implement this domain group topology, add each domain group to the relevant local security groups on the domain workstations. You can now manage authorities by adding domain user accounts to the appropriate domain groups. For information about the group membership that is required to administer IBM Integration Bus resources, see Security requirements for Windows systems.

Procedure

  1. Design your authorization group categories, and define domain groups on the domain controller system that correspond to these authorization categories, by using Windows security.
    For example, suppose that you have a single domain that contains three distinct sets of systems, which are used in development, testing, and production. Within your organization, various user roles require different levels of authorization to IBM Integration Bus resources on those systems.

    Here is an example of how those authorization categories might map to domain groups:

    Domain group Description
    ADM-MBprd IBM Integration Bus administrator authorities on production systems
    ADM-MBuat IBM Integration Bus administrator authorities on test systems
    ADM-MBdev IBM Integration Bus administrator authorities on development systems
  2. Define and configure domain user accounts on the domain controller, by using Windows security.
    Add each domain user account to one or more domain groups to configure the access for that account. For example:
    Table 1.
    Domain user account Role Domain group membership
    MBadmPRD IBM Integration Bus administrator for production systems ADM-MBprd
    MBadmUAT IBM Integration Bus administrator for test systems ADM-MBuat
    MBadmDEV IBM Integration Bus administrator for development systems ADM-MBdev
    john.smith IBM Integration Bus administrator for test and development systems ADM-MBuat, ADM-MBdev
  3. Install and configure IBM Integration Bus on domain workstations.
    1. Install IBM Integration Bus on the workstation.
    2. Add your domain groups to the local mqbrkrs group as appropriate.
      In this example, if a particular workstation is to serve as a development system, add the domain group ADM-MBdev to the local mqbrkrs group.