Setting queue-based permissions

You can use WebSphere® MQ queues to authorize users to complete specific tasks against an integration node and its resources.

Before you begin

About this task

When you have enabled administration security and specified the queue-based (MQ) authorization mode, you can set the required permissions for users to act on the integration node and its resources. You set the permissions on the following authorization queues:
  • SYSTEM.BROKER.AUTH
  • SYSTEM.BROKER.AUTH.EG (where EG is the name of the integration server)
  • SYSTEM.BROKER.DC.AUTH

The queue SYSTEM.BROKER.AUTH is created when you use the mqsichangeauthmode command to enable queue-based administration security (mq mode) on the integration node. When you create an integration server on an integration node for which you have enabled queue-based administration security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created (if it did not already exist), where EG is the name of the integration server. The SYSTEM.BROKER.DC.AUTH queue is created when you use the mqsicreatebroker command to create an integration node with an associated queue manager. For more information about these authorization queues, see Authorization queues for queue-based administration security.

You can set permissions to individual principals (user IDs), to groups of users, or both, on all platforms:

  • If you grant a group or a user ID permissions at the integration node level (on queue SYSTEM.BROKER.AUTH), it does not inherit permissions for integration servers. You must explicitly set permissions for individual integration servers, or for all integration servers.
  • On Linux® and UNIX, you can authorize both principals and groups. However, when authorizing a principal, IBM® Integration Bus additionally authorizes the primary group of that principal. If there are many users who belong to that primary group, they become authorized at the same time. Consider using groups instead of primary groups for authorization, because variants of UNIX use primary groups in different ways.
  • If a user ID is a member of the WebSphere MQ security group mqm, it automatically has permissions to act on all WebSphere MQ objects.
  • On Windows, if a user ID is a member of the security group Administrators, it automatically has permissions to act on all WebSphere MQ objects.

When you change permissions on a queue, the integration node accesses the updated values the next time that a request is processed. You do not have to stop and restart the integration node.

If you update user ID or group membership by using the operating system facilities on the platform on which the integration node queue manager is running, you must ensure that the queue manager is aware of these changes. Select the option Refresh Authorization Service in the WebSphere MQ Explorer to notify the queue manager of the updated status.

Procedure

  1. Ensure that administration security is enabled for the integration node and that the queue-based authorization mode has been set.
    For information about how to enable administration security and set the authorization mode, see Enabling administration security. For more information about changing the authorization mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization
  2. Follow the steps in one of the following tasks, depending on your platform: