IBM Streams 4.2

Security objects and access permissions for IBM Streams domains and instances

IBM® Streams security objects and permissions enable you to control access to domain and instance resources and data. You can update security objects and access permissions by using the Streams Console or streamtool commands.

Security objects are hierarchical in nature, in that some objects are included by other objects. For example, a jobs object can include multiple jobgroup objects, which include job_id objects for each job that is running in the system.

Each object is assigned an access permission and a default permission:

The access permission identifies which users, groups, or roles have permission to perform operations against this type of object.
The default permission identifies the set of permissions that are granted to new child objects created under this object. Default permissions are only important for the jobs security object when you create new job groups.

You can set the access and default permissions by using the Streams Console or the following streamtool commands:

streamtool setdomainacl for domains
streamtool setacl for instances

The permissions for a submitted job are contained in its job group and are changed by using the streamtool grantjobpermission and streamtool revokejobpermission commands. The name of the default job group for an instance is default.

IBM Streams determines the permissions for a user from the following types of permissions:

Specific user permissions
Role permissions
Group permissions

Therefore, removing permissions for a user might require that you remove role or group permissions in addition to the specific user permissions. You might also need to remove the user and their groups from one or more roles. For more information, see the example that shows how to remove security permissions for an IBM Streams user.