IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Authorizing users for administration

Grant authority to one or more groups or users to authorize them to complete specific tasks against a broker and its resources.

You must activate broker administration security before you can grant or revoke permissions for specific user IDs. When you first activate security, you must set up initial control for each user to authorize them to perform certain operations. You can then grant additional authority, revoke permissions, as required.

You can grant authorities to individual principals (user IDs), to groups of users, or both, on all platforms:

If you grant a group or a user ID authority at the broker level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for integration servers. You must explicitly grant authority to all, or to individual, integration servers.
On Linux and UNIX, you can authorize both principals and groups. However, when authorizing a principal, Message Broker additionally authorizes the primary group of that principal. If there are many users who belong to that primary group, they become authorized at the same time. Message Broker users should consider using groups instead of primary groups for authorization, because of differences in how variants of UNIX use primary groups.
If a user ID is a member of the WebSphere® MQ security group mqm, it automatically has authority to all WebSphere MQ objects.
On Windows, if a user ID is a member of the security group Administrators, it automatically has authority to all WebSphere MQ objects.

When you change authorizations on a queue, the broker accesses the updated values the next time that a request is processed. You do not have to stop and restart the broker.

If you update user ID or group membership by using the operating system facilities on the platform on which the broker queue manager is running, you must ensure that the queue manager is aware of these changes. Select the option Refresh Authorization Service in the WebSphere MQ Explorer to notify the queue manager of the updated status.

The authority that is required depends on the requirements of the user:

The way in which you set up the required authorities differs by platform:

These platform-specific topics also give examples of command usage for viewing what authorizations are in place by using the WebSphere MQ dspmqaut command, and for dumping this information by using the dmpmqaut command.

For information about the additional permissions that are required for recording and replaying data, see Enabling security for record and replay.

Required authority for administrators

When you activate administration security, the WebSphere MQ permissions for inquire, put, and set are granted for the group mqbrkrs for the queue SYSTEM.BROKER.AUTH. These permissions grant read, write, and execute authority on the broker and its properties to all user IDs that are members of mqbrkrs.

If you want additional user IDs to have administrator authorization, either add those IDs to the group mqbrkrs, or add WebSphere MQ permissions for inquire, put, and set for those user IDs to this queue.

The following table summarizes the WebSphere MQ permissions that are required:

Object	Name	Permissions
Queue manager	The queue manager associated with the broker; for example, IB9QMGR	Connect Inquire
Queue	SYSTEM.BROKER.DEPLOY.QUEUE	Put
Queue	SYSTEM.BROKER.DEPLOY.REPLY	Get Put
Queue	SYSTEM.BROKER.AUTH	Inquire Put Set
Queue	SYSTEM.BROKER.AUTH.`EG`	Inquire Put Set

For more information about permissions on authorization queues, see IBM Integration Bus permissions and equivalent WebSphere MQ permissions and Tasks and authorizations for administration security.

Required authority for users who connect to the broker

If a user or application wants to connect to a broker, you must grant them the appropriate permissions. All applications written to the CMP, and users of the IBM® Integration Explorer and the IBM Integration Toolkit, require permissions based on their expected actions. The following table shows the WebSphere MQ permissions that are required:

Object	Name	Permissions
Queue manager	The queue manager associated with the broker; for example, IB9QMGR	Connect Inquire
Queue	SYSTEM.BROKER.DEPLOY.QUEUE	Put
Queue	SYSTEM.BROKER.DEPLOY.REPLY	Get Put
Queue	SYSTEM.BROKER.AUTH	Inquire¹
Queue	SYSTEM.BROKER.AUTH.`EG`	Inquire¹

Notes:

Users and applications can connect to the broker without this level of authority, but are unable to request actions against the broker, including viewing properties.

Additional permissions are also required for users who will connect to the broker through the web user interface, as described in Required authority for users of the web user interface.

Required authority for users of the web user interface

Before your users can use the web user interface, you must set security permissions for the roles (system user accounts) that are associated with the web user accounts. The permissions are checked to determine a web user's authorization to perform tasks in the web user interface or the REST application programming interface (API). Ensure that users have the following authorizations:

Object	Name	Permissions
Queue	SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION	GET PUT
Topic	SYSTEM.BROKER.MB.TOPIC	SUBSCRIBE PUBLISH

For more information about roles and web user accounts, see Role-based security and Managing web user accounts.

Required authority for recording and replaying data

Before you can record and replay data, you must set security permissions for data capture in addition to setting administrative security. The queue SYSTEM.BROKER.DC.AUTH controls the record and replay actions that a user can complete on the broker. Ensure that users have the appropriate authorizations to complete the following actions on this queue:

Action	Authority required
To view data, bit streams, and exception lists	READ (`+INQ`)
To replay data	EXECUTE (`+SET`)

Required authority for developers

If your users are working with existing integration servers, and development resources such as BAR files, add the WebSphere MQ permissions inquire, put, and set for those users to one or more SYSTEM.BROKER.AUTH.EG queues (where EG is the name of the integration server).

When you run a broker with administration security enabled, you might need to restrict the names and the length of the names that you give to your integration servers, because WebSphere MQ enforces some restrictions on the authorization queue names. For details of these restrictions, and the possible effects, see Authorization queues for broker administration security.

bp43610_.htm |

Last updated Friday, 21 July 2017