Administration security overview

Administration security controls users' permissions to access integration nodes, integration servers, and their resources, and to complete administrative tasks.

Administration security is an optional feature of IBM® App Connect Enterprise, and it is not enabled by default. Three modes of authorization are supported for integration nodes and their managed integration servers: file-based permissions, queue-based permissions, and LDAP authorization. For independent integration servers, file-based authorization (file mode), and LDAP authorization are supported. You can enable authentication and select the required authorization mode, either by using the mqsichangeauthmode command or by setting properties in the server.conf.yaml or node.conf.yaml configuration files. For more information, see Enabling administration security.

You can control users' access to integration nodes, integration servers, and their resources by associating users with roles. A role is a set of security permissions that control access to runtime components and resources, and each user account is associated with a particular role. The permissions are checked to determine a user's authorization to perform tasks through the web user interface, REST API, IBM App Connect Enterprise Toolkit, and IBM App Connect Enterprise commands. For more information about roles, see Role-based security, and for information about how to create and assign roles to web users, see Managing web user accounts.

Authentication

For these administration interfaces, authentication is done by App Connect Enterprise. To use App Connect Enterprise to authenticate a user, you create a web user account with a local password. The user ID and password are then checked against the credentials that are held in the system.

Alternatively, you can use an external LDAP server to authenticate a user. To use an LDAP server, you must configure your integration node to use an LDAP server for authentication. Credentials are checked against the username and password set in the LDAP server. When LDAP is enabled, local passwords are ignored. Unless you intend to use file-based authorization, you do not need to create a web user account with a local password.

For more information about the authentication support that is provided by IBM App Connect Enterprise, see Authenticating users for administration.

Authorization

Authorization is the process of controlling users' access to resources, by verifying that they have the necessary permissions to complete the requested actions against the specified resources.

When administration security is enabled, you can control users' access to integration nodes, integration servers, and resources. Control the access by setting permissions that allow user IDs associated with specified roles to complete actions on specified resources. App Connect Enterprise checks the authorizations when it receives a request to view or change its properties or resources. If the user ID associated with the request is not authorized, the request is denied. Permissions are checked for all actions that are attempted by users of the following interfaces:

• IBM App Connect Enterprise
• IBM App Connect Enterprise Toolkit sessions
• IBM App Connect Enterprise RESTful application programming interface (API)
• Java™ programs that use the IBM Integration API to complete operations on the integration node.
• All the following commands:
  • mqsichangeresourcestats
  • mqsicreateexecutiongroup
  • mqsideleteexecutiongroup
  • mqsideploy
  • mqsilist
  • mqsimode
  • mqsireloadsecurity
  • mqsireportresourcestats
  • mqsistartmsgflow
  • mqsistopmsgflow
  • mqsiwebuseradmin

  For more information about authorization that is required for these commands, see Commands and authorizations for administration security.

  You can run all commands that are not stated here only on the computer on which the integration node or server is running. When you run any unlisted commands, the user ID that is used to run the commands must be a member of the security group mqbrkrs. Alternatively, it must be the same user ID that is running the integration node or server.

Users of the web user interface and the IBM App Connect Enterprise Toolkit who do not have read, write, and execute permissions for the integration node or integration servers, have only restricted access to those resources.

File-based authorization (file mode)

File-based authorization can be configured for integration nodes (and their managed integration servers) and for independent integration servers.

If an integration node or server is configured to use file-based authorization, you can grant permissions to a role by using the mqsichangefileauth command, or by setting permissions in the node.conf.yaml or server.conf.yaml configuration file. For more information, see and Setting file-based permissions.

If no permissions are found for the role name, a check is conducted to see if the role name matches a system user ID. If a matching system user ID exists, and if it is a member of the mqbrkrs group, full permissions are given.

Queue-based authorization (mq mode)

Queue-based authorization can be configured for integration nodes (and their managed integration servers).

If the queue-based mode of authorization is set for an integration node, you specify permissions on authorization queues, which are defined on the queue manager that is specified on the integration node:

• SYSTEM.BROKER.AUTH. This queue represents the integration node and its properties. Only one queue exists of this name for each integration node. This queue is defined as a local queue.
• One SYSTEM.BROKER.AUTH.EG for each integration server that you define on the integration node, where EG is the name of the integration server. These queues are defined as alias queues.

Read, write, and execute authorities are granted automatically to the user group mqbrkrs on the SYSTEM.BROKER.AUTH queue.

When you create an integration server on an integration node for which security is enabled, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the integration server. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue.

If the integration node is configured to use queue-based authorization, you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user who is called ibmuser for a role that is called ibmuser. For more information about setting permissions for queue-based authorization, see Setting queue-based permissions.

LDAP authorization mode

LDAP authorization can be configured for integration nodes (and their managed integration servers) and for independent integration servers. If an integration node or server is configured to use LDAP authorization, you can grant permissions to a role by setting permissions in the node.conf.yaml or server.conf.yaml configuration file. For more information, see Configuring authorization by using LDAP groups.

For more information about the authorization support provided by IBM App Connect Enterprise, see Authorizing users for administration and Role-based security.

For more information about security permissions, see the following topics:

• Permissions for acting on integration nodes, integration servers, and resources
• Permissions for connecting to a queue manager
• Setting file-based permissions
• Setting queue-based permissions
• Authorization queues for queue-based administration security
• Role-based security