Enabling security for record and replay

You can restrict the users who can view and replay data for an integration node by enabling administration security and setting permissions for specified roles.

To enable security for record and replay, complete the following steps:

1. Stop the integration node by using the web user interface or by running the mqsistop command.
2. Enable administration security for the integration node and specify an authorization mode by using the mqsichangeauthmode command.
   For example, to enable administration security with the file-based authorization mode for the IB10NODE integration node, enter the following command:

   mqsichangeauthmode IB10NODE -s active -m file

   where -s active enables administration security for the integration node, and -m file specifies the file-based authorization mode.

   For more information, see Enabling administration security.

3. Define the roles and their associated permissions:
   • If the integration node is configured to use file-based authorization (file mode), you define the roles and associated permissions on the integration node, by using the mqsichangefileauth command. For information about setting permissions for file-based authorization, see Setting file-based or LDAP-based permissions.
   • If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system that is running your integration node. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
   One or more web user IDs can be assigned to each role, and the permissions that were granted to the role are automatically granted to all web user IDs that are assigned to it. For more information, see Role-based security and Managing web user accounts.
4. To allow users with an assigned role to run record and replay queries on the integration server, set the required permissions for the role, using either file-based or queue-based permissions, depending on the authorization mode that is set for the integration node:
   • If you are using file-based authorization, set read+ permission for the role for actions on the integration node and integration server. For more information about file-based authorization, see Setting file-based or LDAP-based permissions.
   • If you are using queue-based authorization, set +inq permission for the role for actions on the queues SYSTEM.BROKER.AUTH and SYSTEM.BROKER.AUTH.EG. For more information about queue-based authorization, see Setting queue-based permissions.
5. You must also set the required permissions for data capture to control the record and replay actions that users with a specified role (such as ibmuser) can complete on the integration node. Ensure that the role has the appropriate authorization to complete the required actions, as described in Controlling access to data and resources in the web user interface.
   To change permissions for an integration node that is using file-based authorization, see Setting file-based or LDAP-based permissions. To change permissions for an integration node that is using queue-based permissions, see Setting queue-based permissions.
6. Create a web user account by using the mqsiwebuseradmin command, and specify a role for the account. This account is the one that you will use to log on to the web user interface for viewing and replaying data.
   For more information, see Managing web user accounts.
7. Start the integration node by using the web user interface or the mqsistart command.