Tasks and authorizations for administration security
If you enable integration node administration security, users require specific permissions so that they can complete administration tasks.
The following tables show the list of actions that a user can perform, and
the permissions that you must set to allow them to complete these tasks when administration security
is enabled. The permissions are required regardless of how the user requests the action; from a
custom integration application, the web user interface, or the IBM® App Connect
Enterprise Toolkit.
If you are using the web user interface for administration, you must have permission to view integration node properties in addition to the permissions required for administering the integration node resources that are listed in the following tables.
In addition to the permissions that are required for the tasks that are shown in the following tables, permissions are also required for connecting to the integration node. For more information, see Authorizing users for administration.
Notes:
- Where no object flag is specified on the mqsichangefileauth command, the file-based permissions are set at the
level of the integration node.
- To set
writepermission at the level of an integration node:mqsichangefileauth --integration-node TESTNODE --permissions write+ --role admin - To set
writepermission at the level of a managed integration server (an integration server that is managed by an integration node):
ormqsichangefileauth --integration-node TESTNODE --integration-server server01 --permissions write+ --role adminmqsichangefileauth TESTNODE -e server01 -p write+ -r admin - To set
writepermission at the level of an independent integration server:mqsichangefileauth --working-directory c:\temp\ace1202 --permissions write+ --role admin
- To set
- If you are changing resource statistics collection for all integration servers on the integration node, you must grant execute authority for all integration servers.
- If you are reporting resource statistics collection for all integration servers on the integration node, you must grant read authority for all integration servers.
- If you grant a user ID authority at the integration node level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for integration servers. You must explicitly grant authority to all, or to individual, integration servers.
- If queue-based security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen.
- In the queue name SYSTEM.BROKER.AUTH.integrationServerName, the integrationServerName refers to the name of your integration server.
- For recording data with record and replay, in the queue name SYSTEM.BROKER.AUTH.integrationServerName, the integrationServerName refers to the integration server that you configured for recording data.
- For viewing recorded data with record and replay, in the queue name SYSTEM.BROKER.AUTH.integrationServerName, the integrationServerName refers to the integration server that you configured to view recorded data.
| Components/capabilities | Tasks | IBM MQ queue | IBM MQ permission (set on setmqaut command) |
|---|---|---|---|
| Integration nodes | Set integration node properties | SYSTEM.BROKER.AUTH | +INQ +PUT |
| View integration node properties | SYSTEM.BROKER.AUTH | +INQ | |
| Integration servers | Create or delete integration servers | SYSTEM.BROKER.AUTH | +INQ +PUT |
| Rename integration servers | SYSTEM.BROKER.AUTH | +INQ +PUT | |
| List integration servers | SYSTEM.BROKER.AUTH | +INQ | |
| Start or stop integration servers | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH or SYSTEM.BROKER.AUTH.integrationServerName | +SET | ||
| Set integration server properties | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| View integration server properties | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +INQ | ||
| Delete resources from an integration server | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| Message flows | Deploy | SYSTEM.BROKER.AUTH | +INQ |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| List message flows and other deployed objects | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +INQ | ||
| Start or stop message flows | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +SET | ||
| Web user interface | Logon to the web user interface | SYSTEM.BROKER.AUTH | +INQ |
| Create, delete, or modify web users | SYSTEM.BROKER.AUTH | +PUT | |
| Change a web user's password in the web user interface (supplying the old password) | SYSTEM.BROKER.AUTH | +INQ | |
| Resource statistics | Start or stop resource statistics collection | SYSTEM.BROKER.AUTH | +INQ |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| Report resource statistics | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +INQ | ||
| Record and replay | View recorded data with record and replay (bit stream or exception-list data) | SYSTEM.BROKER.DC.AUTH | +INQ |
| SYSTEM.BROKER.DC.AUTH.integrationServerName | +INQ | ||
| SYSTEM.BROKER.AUTH | +INQ | ||
| Replay data | SYSTEM.BROKER.DC.AUTH | +INQ | |
| SYSTEM.BROKER.DC.AUTH.integrationServerName | +INQ +SET | ||
| Business transaction monitoring | View business transactions | SYSTEM.BROKER.DC.AUTH.integrationServerName. The integrationServerName is the integration server in which the business transaction definition is defined. |
+INQ |
| View business transaction definitions | SYSTEM.BROKER.AUTH.integrationServerName. The integrationServerName is the server from which the business transaction definitions will be queried. |
+INQ | |
| Create or update a business transaction definition or business transaction policy | SYSTEM.BROKER.AUTH.integrationServerName. The integrationServerName is the server in which the business transaction definition will be created or updated. |
+PUT | |
| Start and stop recording for a business transaction definition | SYSTEM.BROKER.AUTH.integrationServerName. The integrationServerName is the server that contains the business transaction definition that will be started or stopped. |
+SET | |
| Delete a stopped business transaction definition | SYSTEM.BROKER.AUTH.integrationServerName. The integrationServerName is the server that contains the business transaction definition to be deleted. |
+PUT | |
| Policies | View policies in the web user interface | SYSTEM.BROKER.AUTH | +INQ |
| Create, update, or delete policies in the web user interface | SYSTEM.BROKER.AUTH | +INQ +PUT | |
| Attach a policy to an integration server | SYSTEM.BROKER.AUTH.integrationServerName | +INQ +PUT | |
| Services | View or import an MQ service from the Integration Registry | SYSTEM.BROKER.AUTH | +INQ |
| Create or delete an MQ service in the Integration Registry | SYSTEM.BROKER.AUTH | +INQ +PUT | |
| Flow exerciser | Enable flow recording for a message flow | SYSTEM.BROKER.AUTH | +INQ |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| View recorded messages for a message flow | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +INQ | ||
| Clear recorded messages for a message flow | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +PUT | ||
| Inject a recorded message into a message flow | SYSTEM.BROKER.AUTH | +INQ | |
| SYSTEM.BROKER.AUTH.integrationServerName | +SET |
Note: Where no object flag is specified on the mqsichangefileauth command, the file-based permissions are set at the
level of the integration node.
| Components/capabilities | Tasks | Object flag (set on mqsichangefileauth command) | File permission (set on mqsichangefileauth command) |
|---|---|---|---|
| Integration nodes | Set integration node properties | read+,write+ | |
| View integration node properties | read+ | ||
| Integration servers | Create or delete integration servers | read+,write+ | |
| Rename integration servers | read+,write+ | ||
| List integration servers | read+ | ||
| Start or stop integration servers | -e integration_server | execute+ | |
| Set integration server properties | write+ | ||
| -e integration_server | write+ | ||
| View integration server properties | read+ | ||
| -e integration_server | read+ | ||
| Delete resources from an integration server | write+ | ||
| -e integration_server | write+ | ||
| Message flows | Deploy | write+ | |
| -e integration_server | write+ | ||
| List message flows and other deployed objects | read+ | ||
| -e integration_server | read+ | ||
| Start or stop message flows | execute+ | ||
| -e integration_server | execute+ | ||
| Web user interface | Logon to the web user interface | read+ | |
| Create, delete, or modify web users | write+ | ||
| Change a web user's password in the web user interface (supplying the old password) | write+ | ||
| Resource statistics | Start or stop resource statistics collection | write+ | |
| -e integration_server | write+ | ||
| Report resource statistics | read+ | ||
| -e integration_server | read+ | ||
| Record and replay | View recorded data with record and replay (bit stream or exception-list data) | -o Data | read+ |
| -e integration_server -o Data | read+ | ||
| read+ | |||
| Replay data | -o Data | read+ | |
| -e integration_server -o Data | read+,execute+ | ||
| Business transaction monitoring | View business transactions | -o Data | read+ |
| -e integration_server -o Data | read+ | ||
| View business transaction definitions | -e integration_server | read+ | |
| Create or update a business transaction definition or business transaction policy | -e integration_server | write+ | |
| Start and stop recording for a business transaction definition | -e integration_server | execute+ | |
| Delete a stopped business transaction definition | -e integration_server | write+ | |
| Policies | View policies in the web user interface | read+ | |
| Create, update, or delete policies in the web user interface | read+,write+ | ||
| Attach a policy to an integration server | -e integration_server | read+,write+ | |
| Services | View or import an MQ service from the Integration Registry | read+ | |
| Create or delete an MQ service in the Integration Registry | read+,write+ | ||
| Flow exerciser | Enable flow recording for a message flow | write+ | |
| -e integration_server | write+ | ||
| View recorded messages for a message flow | read+ | ||
| -e integration_server | read+ | ||
| Clear recorded messages for a message flow | write+ | ||
| -e integration_server | write+ | ||
| Inject a recorded message into a message flow | execute+ | ||
| -e integration_server | execute+ |
| Components | Tasks | LDAP permissions (set in .yaml configuration file) |
|---|---|---|
| Integration nodes | Set integration node properties | 'write+' |
| View integration node properties | 'read+' | |
| Integration servers | Create or delete integration servers | 'write+' |
| Rename integration servers | 'write+' | |
| List integration servers | 'read+' | |
| Start or stop integration servers | 'execute+' | |
| Set integration server properties | 'write+' | |
| View integration server properties | 'read+' |