Setting file-based or LDAP-based permissions

Use the mqsichangefileauth command to grant and revoke administration authority by configuring file-based or LDAP-based permissions for working with an integration node and its resources.

Before you begin

Read the following topics:

About this task

You can grant and revoke administration authority by using the mqsichangefileauth command to configure file-based or LDAP-based permissions for specified roles. You can use file-based or LDAP-based permissions for authorization only if the file-based or LDAP mode of administration security has been specified respectively for the integration node. If no queue manager has been specified on the integration node, file-based administration security is used by default. You can use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect.

If a queue manager is specified on the integration node, queue-based administration security is set by default; however, you can change to file-based or LDAP-based authorization by using the mqsichangeauthmode command. For information about specifying the administration security mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.

Three levels of authorization are supported for IBM® Integration Bus administration security: read, write, and execute. You can assign permissions to a role (system user) by specifying the type of permission followed by a plus (+) to grant permissions, or a minus (-) to revoke permissions: 
  • read+/-
  • write+/-
  • execute+/-
  • all+/-

You specify the permissions as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.

These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
  • Data capture objects (record-replay)
If you grant permissions to a role at the integration node level, that permission is not applied to the node's integration servers; you must set permissions explicitly for individual integration servers.
Note: If you grant permissions associated with integration server resources or data capture objects to users that use the web user interface, you must also grant the users read access to the integration node.

Procedure

Follow these steps to set permissions for a role:

  1. Ensure that administration security has been enabled for the integration node.
    For more information, see Enabling administration security.
  2. Use the mqsichangefileauth command to change the permissions that are assigned to a role.
    For example: 
    mqsichangefileauth IB10NODE -r iibAdmins -e default -p read+,execute+
    In this example, the role iibAdmins is granted execute and read permission on IB10NODE.default (the default integration server on the IB10NODE integration node). If this role did not previously exist, the write permission is disabled.
  3. If you are using the web user interface for administration, log off and log back on to refresh the web user interface to reflect the new permissions. If permissions have been revoked, the change takes effect immediately and actions requiring that permission fail because access is denied.

What to do next

For information about authentication, see Authenticating users for administration.