Configuring authorization for an integration node by modifying the node.conf.yaml file

You can configure integration nodes (and the integration servers that they manage) to use either file-based authorization, queue-based authorization, or LDAP authorization, by setting the security properties in the node.conf.yaml configuration file.

Before you begin

Read the following topics:

About this task

Authorization to perform administrative tasks is determined by the permissions that are granted to the role to which the web user has been assigned. When using LDAP authorization, a web user's role is determined by mapping the LDAP groups that they belong to with a predefined role, as described in Configuring authorization by using LDAP groups. You can then set file-based permissions for that role. For more information about controlling access by using file-based permissions, see Setting file-based permissions. For information about controlling access by using queue-based permissions, see Setting queue-based permissions.

When you enable administration security for an integration node, the default mode of authorization depends on whether a queue manager is specified on the integration node. If a queue manager has been specified, administration security for the integration node is based on IBM MQ queues by default (mq mode), and the required queues used for setting authorization are created automatically when the integration node is created. If you create an integration node without specifying an associated queue manager, file-based administration security is used by default (file mode).

For information about controlling access to an independent integration server, see Configuring authorization for an integration server by modifying the server.conf.yaml file.

You configure authorization for an integration node (and its managed integration servers) by setting properties in the Security section of the integration node's node.conf.yaml file:
Security:
  LdapAuthorizeAttributeToRoleMap:
    # When 'authorizationMode' is ldap, set the mapping from a matched LDAP authorization attribute, as
    # configured in 'ldapAuthorizeUrl' to the ACE web user role name
    # e.g. map the following LDAP group DNs to web user roles 'adminRole', 'viewRole'
    #'cn=admins,cn=group,ou=ace': 'adminRole'
    #'cn=monitors,cn=group,ou=ace': 'viewRole'
  Node:
    Permissions:
      # Set Admin Security Authorization file permissions for the Integration Node by web user role using 'read+:write+:execute+' , or 'all+'
      # '+' grants permission, '-' denies permission
      # e.g. define the following web user roles 'viewRole' and 'adminRole'
      #viewRole:  'read+:write-:execute-'
      #adminRole: 'all+'
    DataPermissions:
      # Set Admin Security Authorization file permissions for Record and Replay web user roles using 'read+:write+:execute+' , or 'all+'
      # '+' grants permission, '-' denies permission. Record and Replay roles also require 'read+' permission to be defined for the
      # Integration Node in the Permissions section above.
      # e.g. define the following web user roles 'dataViewer', 'dataReplayer' and 'adminRole'
      #dataViewer:  'read+:write-:execute-'
      #dataReplayer: 'read+:write-:execute-'
      #adminRole: 'all+'
  Server:
    # Set Admin Security Authorization file permissions for each named Integration Server
    # e.g. define the following web user roles 'viewRole' and 'adminRole' for Integration Server 'server01'
    #server01:
      #Permissions:
        #viewRole:  'read+:write-:execute-'
        #adminRole: 'all+'
      #DataPermissions:
        # Set Admin Security Authorization file permissions for Record and Replay web user role using 'read+:write+:execute+' , or 'all+'
        # '+' grants permission, '-' denies permission.
        # e.g. define the following web user roles 'dataViewer', 'dataReplayer' and 'adminRole'
        #dataViewer:  'read+:write-:execute-'
        #dataReplayer: 'read+:write-:execute+'
        #adminRole: 'all+'

You set permissions in the node.conf.yaml file for the integration node and for all the integration servers that it manages. When you have added or modified permissions, ensure that you restart the integration node for the changes to take effect.

Procedure

Configure the authorization mode for an integration node by completing the following steps:

  1. Open the node.conf.yaml configuration file for your integration node, by using a YAML editor.

    If you do not have access to a YAML editor, you can edit the file by using a plain text editor; however, you must ensure that you do not include any tab characters, because they are not valid in YAML and would cause your configuration to fail. If you are using a plain text editor, ensure that you use a YAML validation tool to validate the content of your file.

  2. If administration security has not already been enabled, enable it now by setting the adminSecurity property in the node.conf.yaml file to active: 
    adminSecurity: active
  3. Specify the authorization mode that you require, by setting the authMode property to either file, mq, or ldap.
    For example, to configure the integration node to use file-based authorization, set the following value:
    authMode: file
  4. Assign permissions to the defined roles, by specifying a combination of read, write, and execute, or all, with + to grant permission, and - to deny permission; for example: 
    viewRole:  'read+:write-:execute-'
adminRole: 'all+'
    where the viewRole has only read permission, and the adminRole has permission for all actions.
  5. Save the modified node.conf.yaml file.
  6. Restart the integration node for the changes to take effect, by using the mqsistart command.

What to do next

For information about specifying the authorization mode for an integration node by using the mqsichangeauthmode (instead of modifying the node.conf.yaml file), see Configuring authorization by using the mqsichangeauthmode command. You can then set permissions as described in Setting file-based permissions, Setting queue-based permissions on Linux, AIX, and Windows systemsor Setting file-based permissions.