IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Managing web user accounts

You can control a web user's access to broker resources by associating the web user ID with a role, which has security permissions assigned to it.

Before you start:

Read the following topics:

Broker administrators can use the mqsiwebuseradmin command to create a new web user, to set or change a web user's password, to remove a web user, or to assign a web user to a role.

As a broker administrator, you can set up multiple system user IDs on the system that the broker is running on, with different permissions set on the authorization queues (SYSTEM.BROKER.AUTH, SYSTEM.BROKER.AUTH.integrationServerName, and SYSTEM.BROKER.DC.AUTH). These permissions then apply to web users through their assigned role. Web users also require the following permissions to use the web user interface:

GET and PUT authority on the queue SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION
SUBSCRIBE and PUBLISH authority on the topic SYSTEM.BROKER.MB.TOPIC

If administration security is enabled, web users can access the web UI only when they have logged on using their web user account. Their access to data and broker resources is controlled by the permissions that have been associated with their role (system user ID). If administration security is not enabled, web users can interact with the web UI without logging on; they interact with the web UI as the 'default' user and can access all data and broker resources.

The steps shown in this task are based on the assumption that you want to have broker administration security enabled.

Complete these steps to grant access to web users based on their assigned role:

If you are enabling broker administration security:
1. Create a system user account (on the operating system) for each role that you have identified. For example, you might decide that your web users can be categorized into two main roles: web administrators and web users. Create a system user account for each of the roles, such as ibmuser and ibmadmin. These users will typically require different authorizations to perform tasks in the broker administration interface (such as permission to view or modify resources), according to their role.
2. Grant permissions on the authorization queues for the system user accounts that you have created for your roles (ibmuser and ibmadmin). For information about how to do this, see Authorizing users for administration.
3. Enable broker administration security for your broker by setting the -s parameter to active.
  - To enable administration security when you create the broker, run the mqsicreatebroker command, as shown in the following example:
```
mqsicreatebroker brokerName -q brokerQueueManagerName -s active 
```
    (If you run this command on Windows, you must also set the -i parameter. For details, see mqsicreatebroker command.)
  - To enable administrative security for a broker that you have already created, stop the broker, then run the mqsichangebroker, as shown in the following example:
```
mqsichangebroker brokerName -s active  
```
  For more information, see Enabling administration security.
Use the mqsiwebuseradmin command to create your web user accounts. If you have broker administration security enabled, you can also use the mqsiwebuseradmin command to modify your web user accounts and assign them to the appropriate roles. For more information, see mqsiwebuseradmin command.

bn28460_.htm |

Last updated Friday, 21 July 2017