Permissions are required for users to act on the integration
node and its resources.
The following tables shows the permissions that are required for users to carry out specific
tasks, depending on whether you are using queue-based, file-based, or LDAP administration security.
If you are using any IBM® Integration Bus functions that require access to WebSphere® MQ, you must also set the required permissions for connecting to the
queue manager that is specified on the integration node. For information about the permissions that
are required for connecting to the queue manager, see Permissions for connecting to a queue manager.
Table 1. WebSphere MQ queue-based permissions
required for acting on an integration node
| Action |
Integration node permission |
MQ queue-based security: WebSphere MQ permission set on setmqaut command for SYSTEM.BROKER.AUTH queue |
| View |
read |
+INQ |
| Create |
write |
+PUT |
| Delete |
write |
+PUT |
| Modify |
write |
+PUT |
| Start |
execute |
+SET |
| Stop |
execute |
+SET |
| Inject |
execute |
+SET |
Table 2. File-based permissions required for acting on an integration
node
| Action |
Integration node permission |
File-based security: File permission set on mqsichangefileauth command, object
flag not required |
| View |
read |
read+ |
| Create |
write |
write+ |
| Delete |
write |
write+ |
| Modify |
write |
write+ |
| Start |
execute |
execute+ |
| Stop |
execute |
execute+ |
| Inject |
execute |
execute+ |
Table 3. LDAP permissions required for acting on an integration node
| Action |
Integration node permission |
LDAP security: permission set on mqsichangefileauth command, object flag not
required |
| View |
read |
read+ |
| Create |
write |
write+ |
| Delete |
write |
write+ |
| Modify |
write |
write+ |
| Start |
execute |
execute+ |
| Stop |
execute |
execute+ |
| Inject |
execute |
execute+ |
Table 4. WebSphere MQ queue-based permissions
required for acting on an integration server
| Action |
Integration node permission |
MQ queue-based security: WebSphere MQ permission set on setmqaut command for SYSTEM.BROKER.AUTH.EG queue |
| View |
read |
+INQ |
| Create |
write |
+PUT |
| Delete |
write |
+PUT |
| Modify |
write |
+PUT |
| Start |
execute |
+SET |
| Stop |
execute |
+SET |
Table 5. File-based permissions required for acting on an integration
server
| Action |
Integration node permission |
File-based security: File permission set on mqsichangefileauth command
(include -e integrationServerName flag) |
| View |
read |
read+ |
| Create |
write |
write+ |
| Delete |
write |
write+ |
| Modify |
write |
write+ |
| Start |
execute |
execute+ |
| Stop |
execute |
execute+ |
Table 6. LDAP permissions required for acting on an integration server
| Action |
Integration node permission |
LDAP security: permission set on mqsichangefileauth command (include -e
integrationServerName flag) |
| View |
read |
read+ |
| Create |
write |
write+ |
| Delete |
write |
write+ |
| Modify |
write |
write+ |
| Start |
execute |
execute+ |
| Stop |
execute |
execute+ |
Table 7. WebSphere MQ queue-based permissions
required for acting on a data capture object
| Action |
Integration node permission |
MQ queue-based security: WebSphere MQ permission set on setmqaut command for SYSTEM.BROKER.DC.AUTH queue |
| View |
read |
+INQ |
| Replay |
execute |
+SET |
Table 8. File-based permissions required for acting on a data capture
object
| Action |
Integration node permission |
File-based security: File permission set on mqsichangefileauth command
(include -o Data Capture flag ) |
| View |
read |
read+ |
| Replay |
execute |
execute+ |
Table 9. LDAP permissions required for acting on a data capture
object
| Action |
Integration node permission |
LDAP security: permission set on mqsichangefileauth command (include -o Data
Capture flag ) |
| View |
read |
read+ |
| Replay |
execute |
execute+ |
Where no object flag is specified on the mqsichangefileauth command command,
permissions are set at the level of the integration node.
For information about using the mqsichangeauthmode command to
specify an authorization mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.
If the queue-based mode of administration security (mq mode)
is enabled when you create an integration node, the queue SYSTEM.BROKER.AUTH is created. Read, write,
and execute permissions are granted automatically to the user group mqbrkrs on this queue. The SYSTEM.BROKER.AUTH queue is created as a local
queue, and is used to define which users are authorized to perform
actions on the integration node and the integration node properties.
When you create an integration server on an integration
node for which you have enabled queue-based security, the integration
server authorization queue SYSTEM.BROKER.AUTH.EG is
created, where EG is the name of the integration
server. Read, write, and execute permissions are automatically granted
to the user group mqbrkrs on this
queue.
When you use the mqsicreatebroker command to
create an integration node with an associated queue manager, the SYSTEM.BROKER.DC.AUTH queue is created automatically.
If you create an integration node without specifying a queue manager,
you can modify the integration node afterwards to specify a queue
manager and enable administration security in mq mode;
however, you must also create the SYSTEM.BROKER.DC.AUTH queue.
For information about creating the system queues, see Creating the default IBM Integration Bus queues on a WebSphere MQ queue manager.
For more information about the creation of authorization
queues, see Authorization queues for queue-based administration security.