Authorizing users for administration

Authorize users to complete specific tasks against an integration node and its resources.

About this task

Three levels of authorization are supported for IBM® Integration Bus administration security: read, write, and execute. These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
  • Data capture resources (record-replay)
For more information about roles, see Role-based security.

You can set the permissions either by using file-based permissions, or LDAP permissions, which you set using the mqsichangefileauth command, or by using WebSphere® MQ queues on the queue manager that is specified on the integration node. You use the mqsichangeauthmode command to specify which security mode is to be used (file-based, queue-based, or LDAP authorization), and you can use the mqsireportauthmode command to see which security mode is set.

For information about the permissions that are required for working with an integration node and its resources, see Permissions for acting on integration nodes and resources.

When you create an integration node, the default mode of administration security depends on whether a queue manager is specified on the integration node. If a queue manager has been specified, administration security for the integration node is based on WebSphere MQ queues (mq mode), and the required queues used for setting authorization are created automatically when the integration node is created. If you create an integration node without specifying an associated queue manager, file-based administration security (file mode) is used by default.

If you are using any IBM Integration Bus functions that require access to WebSphere MQ, you must set the required permissions that enable the connection to be made to the queue manager that is specified on the integration node. For information about these permissions, see Permissions for connecting to a queue manager. When you have set the required permissions for connecting to the queue manager, you can set the permissions that authorize users to act on the integration node and its resources.

For information about authentication, see Authenticating users for administration.

Procedure

Complete the following steps to set the required authorization mode and to authorize users to work with an integration node and its resources:

  1. Ensure that administration security for the integration node is enabled and configured to use the required authorization mode, as described in Configuring administration security to use file-based, queue-based, or LDAP authorization.
    To find out which authorization mode is currently in effect, see Checking the authorization mode.
  2. If you are using queue-based administration security, set the required permissions to enable users to connect to the WebSphere MQ queue manager.
    For information about these permissions, see Permissions for connecting to a queue manager.
  3. Set the required permissions to enable users to complete tasks on an integration node and its resources. For information about the permissions that are required, see Permissions for acting on integration nodes and resources. For information about how to set the permissions, see the following topics:
  4. You can control web users' access to data and integration node resources by assigning permissions to the role that the users are assigned to. For more information, see Controlling access to data and resources in the web user interface.