Controlling access to data and resources in the web user interface

Integration administrators can control web users' access to data and integration node resources by assigning permissions to users based on their role.

Before you begin

About this task

Integration administrators can restrict web users' access to data and integration node resources only if administration security is enabled. If administration security is not enabled, web users can interact with the web user interface without logging on, which means that they can access the web user interface as the 'default' user and have access to all data and integration node resources.

To perform any administrative task from the web user interface when administration security is enabled, you must have permission to view properties on the integration node. For a full list administrative tasks and the permissions required, see Tasks and authorizations for administration security.

With administration security enabled, REST users can view only the URIs for which they are authorized. If administration security is disabled, all REST requests are unrestricted.

Note: When queue-based security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen.

As an integration administrator, you can set permissions to restrict users' access based on the tasks that they are required to perform. Some example tasks and their associated permissions are shown in the following table:

Example access and actions IBM MQ queue-based permissions (set on the setmqaut command) File-based permissions (set on the mqsichangefileauth command)
Allow data technicians to view record and replay data stores under Data tab of the integration node or integration server in the web user interface.
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • read+ permission on the integration node
  • read+ permission on the Integration Node Data object
Allow web users to view and download recorded messages in an integration server's record and replay store.
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • +inq permission on SYSTEM.BROKER.DC.AUTH.integrationServerName queue
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • read+ permission on the integration node
  • read+ permission on the Integration Node Data object
  • read+ permission on the Integration Server Data object
Allow web users to view, download and replay recorded messages in an integration server's record and replay data store.
  • +inq permissions on SYSTEM.BROKER.AUTH queue
  • +inq permission on the SYSTEM.BROKER.DC.AUTH queue
  • +inq + set permission on SYSTEM.BROKER.DC.AUTH.integrationServerName queue
  • read+ permission on the integration node
  • read+ permission on the Integration Node Data object
  • read+, execute+ permission on the Integration Server Data object
Allow REST users to request information about messages recorded under an integration server's record and replay data store.
  • +inq permission on SYSTEM.BROKER.DC.AUTH.integrationServerName queue
 read+ permission on the Integration Server Data object
Allow REST users to view and replay messages.
  • +inq permission on SYSTEM.BROKER.DC.AUTH.integrationServerName queue to view
  • + set permission on SYSTEM.BROKER.DC.AUTH.integrationServerName queue to replay
  • read+ permission on the Integration Server Data object to view.
  • execute+ permission on the Integration Server Data object to replay.
Allow web users to view business transactions on the Business Transactions Monitor tab
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • +inq permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server that hosts the business transaction definition
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • read+ permission on the integration node
  • read+ permission on the integration server that hosts the business transaction definition
  • read+ permission on the integration node data object
Allow web users to view business transaction definitions on the Business Transactions Configure tab
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • +inq permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server that hosts the business transaction definition
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • read+ permission on the integration node
  • read+ permission on the integration server that hosts the business transaction definition
  • read+ permission on the integration node data object
Allow web users to start and stop recording for a business transaction definition on the Business Transactions Configure tab.
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • +inq +set permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server that hosts the business transaction definition
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • read+ permission on the integration node
  • read+ execute+ permission on the integration server that hosts the business transaction definition
  • read+ permission on the integration node data object
Allow web users to create or update a business transaction definition or a business transaction policy on the Business Transaction Monitoring Configure tab.
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • +inq +put permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server where the business transaction definition is being defined
  • +inq permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server from which you want to select business monitoring events to include in the business transaction definition
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • read+ permission on the integration node
  • read+ write+ permission on the integration server where the business transaction definition is defined
  • read+ permission on the integration server from which you want to select business monitoring events to include in the business transaction definition
  • read+ permission on the integration node data object
Allow web users to delete a stopped business transaction definition.
  • +inq permission on SYSTEM.BROKER.AUTH queue
  • +inq +put permission on SYSTEM.BROKER.AUTH.integrationServerName queue, where integrationServerName is the integration server where the business transaction definition is defined
  • +inq permission on SYSTEM.BROKER.DC.AUTH queue
  • read+ permission on the integration node
  • read+ write+ permission on the integration server where the business transaction definition is defined
  • read+ permission on the integration node data object

Integration administrators can also allow web users to start and stop integration servers, applications, and message flows from the web user interface, by granting permissions to the roles with which the web users are associated.

For more information about role-based access, see Role-based security and Managing web user accounts.

Procedure

  1. Enable administration security and configure the integration node to use either file-based or queue-based authorization.
    For more information, see Enabling administration security.
  2. Define the roles and their associated permissions. You can assign permissions to each role that you have identified; for example, you might decide that your web users can be categorized into two main roles: web administrators and web users. Define a role for each of these groups of users (for example, iibUsers and iibAdmins) with permissions that allow them to perform the required tasks, such as viewing or modifying resources:
    • If the integration node is configured to use file-based authorization (file mode), you define the roles and associated permissions on the integration node, by using the mqsichangefileauth command. For information about setting permissions for file-based authorization, see Setting file-based permissions.
    • If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system for each role that you have identified. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
    • If the integration node is configured to use LDAP authorization, you define the roles and associated permissions on the integration node, by setting properties in the node.conf.yaml for the integration node. For information about setting permissions for LDAP authorization, see Configuring authorization by using LDAP groups.
    For more information about setting the appropriate permissions, see Authorizing users for administration.
  3. Use the mqsiwebuseradmin command to create your web user accounts and assign them to the appropriate roles.
    For more information, see mqsiwebuseradmin command. For more information about roles, see Role-based security.