Permissions for acting on integration nodes, integration servers, and resources

Permissions are required for users to act on integration nodes, integration servers, and resources.

Authorization to perform administrative tasks is determined by the permissions that are granted to the role to which the user has been assigned. The following tables show the permissions that are required for the user's assigned role in order for them to carry out specific tasks, depending on whether you are using queue-based, file-based, or LDAP administration security. For information about how to specify an authorization mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.

If you are using any IBM® App Connect Enterprise functions that require access to IBM MQ, you must also set the required permissions for connecting to the queue manager that is specified on the integration node. For information about the permissions that are required for connecting to the queue manager, see Permissions for connecting to a queue manager.

Table 1. MQ queue-based permissions required for acting on an integration node
Action Integration node permission MQ queue-based security: IBM MQ queue MQ queue-based security: IBM MQ permission (set on setmqaut command)
View read SYSTEM.BROKER.AUTH +INQ
Create write SYSTEM.BROKER.AUTH +PUT
Delete write SYSTEM.BROKER.AUTH +PUT
Modify write SYSTEM.BROKER.AUTH +PUT
Start execute SYSTEM.BROKER.AUTH +SET
Stop execute SYSTEM.BROKER.AUTH +SET
Inject execute SYSTEM.BROKER.AUTH +SET
Table 2. File-based permissions required for acting on an integration node
Action Integration node permission File-based security: Object flag (set on mqsichangefileauth command) File-based security: File permission (set on mqsichangefileauth command or in a node.conf.yaml file)
View read   read+
Create write   write+
Delete write   write+
Modify write   write+
Start execute   execute+
Stop execute   execute+
Inject execute   execute+

Where no object flag is specified on the mqsichangefileauth command command, the file-based permissions are set at the level of the integration node.

Table 3. LDAP permissions required for acting on an integration node
Action Integration node permission LDAP security: Permission (set in node.conf.yaml configuration file)
View read 'read+'
Create write write+
Delete write 'write+'
Modify write 'write+'
Start execute 'execute+'
Stop execute 'execute+'
Inject execute 'execute+'
Table 4. MQ queue-based permissions required for acting on an integration server that is managed by an integration node
Action Integration node permission MQ queue-based security: IBM MQ queue MQ queue-based security: IBM MQ permission (set on setmqaut command)
View read SYSTEM.BROKER.AUTH.integrationServerName +INQ
Create write SYSTEM.BROKER.AUTH.integrationServerName +PUT
Delete write SYSTEM.BROKER.AUTH.integrationServerName +PUT
Modify write SYSTEM.BROKER.AUTH.integrationServerName +PUT
Start execute SYSTEM.BROKER.AUTH.integrationServerName +SET
Stop execute SYSTEM.BROKER.AUTH.integrationServerName +SET
Table 5. File-based permissions required for acting on an integration server that is managed by an integration node
Action Integration node permission File-based security: Object flag (set on mqsichangefileauth command) File-based security: File permission (set on mqsichangefileauth command or in a node.conf.yaml file)
View read -e integration_server read+
Create write -e integration_server write+
Delete write -e integration_server write+
Modify write -e integration_server write+
Start execute -e integration_server execute+
Stop execute -e integration_server execute+
Table 6. LDAP permissions required for acting on an integration server that is managed by an integration node
Action Integration node permission LDAP security: Permission (set in the node.conf.yaml configuration file of the integration node that manages the integration server)
View read 'read+'
Create write write+
Delete write 'write+'
Modify write 'write+'
Start execute 'execute+'
Stop execute 'execute+'
Table 7. File-based permissions required for acting on an independent integration server (not managed by an integration node)
Action File-based security: Object flag (set on mqsichangefileauth command) File-based security: File permission (set on mqsichangefileauth command or in a server.conf.yaml file)
View -e integration_server read+
Create -e integration_server write+
Delete -e integration_server write+
Modify -e integration_server write+
Start -e integration_server execute+
Stop -e integration_server execute+
Inject -e integration_server execute+
Table 8. LDAP permissions required for acting on an independent integration server (not managed by an integration node)
Action LDAP security: Permission (set in server.conf.yaml configuration file)
View 'read+'
Create 'write+'
Delete 'write+'
Modify 'write+'
Start 'execute+'
Stop 'execute+'
Inject 'execute+'
Table 9. Permissions required for acting on a data object
Action Integration node permission MQ queue-based security: IBM MQ queue MQ queue-based security: IBM MQ permission (set on setmqaut command) File-based security: Object flag (set on mqsichangefileauth command) File-based security: File permission (set on mqsichangefileauth command)
View read SYSTEM.BROKER.DC.AUTH +INQ -o Data read+
read SYSTEM.BROKER.DC.AUTH.integrationServerName +INQ -o Data read+
Replay execute SYSTEM.BROKER.DC.AUTH.integrationServerName +SET -e IntegrationServerName -o Data execute+

File-based and LDAP-based permissions:

When you create an integration server on an integration node for which either file-based or LDAP security has been enabled, you must explicitly set the permissions for the integration server and then restart the integration node for the changes to take effect. For more information, see Configuring authorization for an integration node by modifying the node.conf.yaml file.

Queue-based permissions:

If the queue-based mode of administration security (mq mode) is enabled when you create an integration node, the queue SYSTEM.BROKER.AUTH is created. Read, write, and execute permissions are granted automatically to the user group mqbrkrs on this queue. The SYSTEM.BROKER.AUTH queue is created as a local queue, and is used to define which users are authorized to perform actions on the integration node and the integration node properties.

When you create an integration server on an integration node for which you have enabled queue-based security, the integration server authorization queue SYSTEM.BROKER.AUTH.integrationServerName is created, where integrationServerName is the name of the integration server. Read, write, and execute permissions are automatically granted to the user group mqbrkrs on this queue.

When you use the mqsicreatebroker command to create an integration node with an associated queue manager, the SYSTEM.BROKER.DC.AUTH queue is created automatically. If you create an integration node without specifying a queue manager, you can modify the integration node afterwards to specify a queue manager and enable administration security in mq mode; however, you must also create the SYSTEM.BROKER.DC.AUTH queue. For information about creating the system queues, see Creating the default system queues on an IBM MQ queue manager.

For more information about the creation of authorization queues, see Authorization queues for queue-based administration security.