The following table shows the list of actions that a user can perform, and the authorizations that you must set to allow them to complete these tasks when broker administrative security is enabled. The authority is required regardless of the way in which the user requests the action; from an
CMP application, the IBM® Integration Explorer, or the IBM Integration Toolkit.
In addition to the permissions for the specific tasks that are shown in the following table, you must also be able to connect to the broker. For more information, see Authorizing users for administration. Web users also require the following permissions to use the web user interface:
- GET and PUT authority on the queue SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION
- SUBSCRIBE and PUBLISH authority on the topic SYSTEM.BROKER.MB.TOPIC
Note: 
If you are using the web user interface, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen. 
If you are using the web user interface, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen. | Task category | Tasks | Authorization | Queue |
|---|---|---|---|
| Broker | Set broker properties | Read and write | SYSTEM.BROKER.AUTH |
| View broker properties | Read | SYSTEM.BROKER.AUTH | |
| Configurable services | Create or delete configurable services | Read and write | SYSTEM.BROKER.AUTH |
| Set configurable services properties | Read and write | SYSTEM.BROKER.AUTH | |
| View configurable services properties | Read | SYSTEM.BROKER.AUTH | |
| Integration servers | Create or delete integration servers | Read and write | SYSTEM.BROKER.AUTH |
| Rename integration servers | Read and write | SYSTEM.BROKER.AUTH | |
| List integration servers | Read | SYSTEM.BROKER.AUTH | |
| Start or stop integration servers | Read | SYSTEM.BROKER.AUTH | |
| Execute | SYSTEM.BROKER.AUTH or SYSTEM.BROKER.AUTH.EG | ||
| Set integration server properties | Read | SYSTEM.BROKER.AUTH | |
| Write | SYSTEM.BROKER.AUTH.EG | ||
| View integration server properties | Read | SYSTEM.BROKER.AUTH | |
| Read | SYSTEM.BROKER.AUTH.EG | ||
| Resource statistics | Start or stop resource statistics collection | Read | SYSTEM.BROKER.AUTH |
| Write | SYSTEM.BROKER.AUTH.EG1 | ||
| Report resource statistics | Read | SYSTEM.BROKER.AUTH | |
| Read | SYSTEM.BROKER.AUTH.EG2 | ||
| Message flows | Deploy | Read | SYSTEM.BROKER.AUTH |
| Write | SYSTEM.BROKER.AUTH.EG | ||
| List message flows and other deployed objects | Read | SYSTEM.BROKER.AUTH | |
| Read | SYSTEM.BROKER.AUTH.EG | ||
| Start or stop message flows | Read | SYSTEM.BROKER.AUTH | |
| Execute | SYSTEM.BROKER.AUTH.EG | ||
| Delete resources from an integration server | Read | SYSTEM.BROKER.AUTH | |
| Write | SYSTEM.BROKER.AUTH.EG | ||
| Web user interface | Logon to the web user interface | Read | SYSTEM.BROKER.AUTH |
| Create, delete, or modify web users | Write | SYSTEM.BROKER.AUTH | |
| Changing a web user's password in the web user interface (supplying the old password) | Read | SYSTEM.BROKER.AUTH | |
| Record and replay | View recorded data with record and replay (apart from bit stream and exception-list data) | Read | SYSTEM.BROKER.AUTH, SYSTEM.BROKER.AUTH.EG,4 and SYSTEM.BROKER.DC.AUTH |
| View recorded data with record and replay (bit stream or exception-list data) | Read | SYSTEM.BROKER.DC.AUTH | |
| Replay data | Read and execute | SYSTEM.BROKER.DC.AUTH | |
| Services | View or import an MQ service from the Integration Registry | Read | SYSTEM.BROKER.AUTH |
| Create or delete an MQ service in the Integration Registry | Read and write | SYSTEM.BROKER.AUTH | |
| Policies | View policies in the web user interface | Read | SYSTEM.BROKER.AUTH |
| Create, update, or delete policies in the web user interface | Read and write | SYSTEM.BROKER.AUTH | |
| Attach a policy to an integration server | Read and write | SYSTEM.BROKER.AUTH.EG |
Notes:
- If you are changing resource statistics collection for all integration servers on the broker, you must grant execute authority for all integration servers.
- If you are reporting resource statistics collection for all integration servers on the broker, you must grant read authority for all integration servers.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your integration server.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForView property that you specify in your DataCaptureStore configurable service.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForReplay property that you specify in your DataDestination configurable service.
If you grant a user ID authority at the broker level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for integration servers. You must explicitly grant authority to all, or to individual, integration servers.
Last updated Friday, 21 July 2017