Managing web user accounts

You can control a web user's access to integration node resources by associating the web user ID with a role, which has security permissions assigned to it.

Before you begin

Read the following topics:

About this task

IBM Integration Bus administrators can use the mqsiwebuseradmin command to create a new web user, to set or change a web user's password, to remove a web user, or to assign a web user to a role.

If administration security is enabled, web users can access the web user interface only when they have logged on using their web user account. As an administrator, you can create multiple roles, with different permissions assigned to them. You can then assign one or more web users to a role, and their access to data and integration node resources is controlled by the permissions that have been set for their role. For more information, see Role-based security.

If administration security is not enabled, web users can interact with the web user interface without logging on; they interact with the web user interface as the 'default' user and can access all data and integration node resources.

If the integration node is configured to use file-based authorization (file mode) or LDAP authorization (ldap mode), you assign permissions to the role by using the mqsichangefileauth command. When LDAP authorization is enabled, a user can be mapped to a single role or multiple roles. Permissions are set for the integration node, the integration server, and the data capture object. For information about setting permissions for file-based authorization, see Setting file-based or LDAP-based permissions. For information about LDAP authorization, see Configuring authorization by using LDAP groups.

If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system that is running your integration node. This system user is then used as a role, and you assign permissions to it by setting them on the following authorization queues:
  • SYSTEM.BROKER.AUTH
  • SYSTEM.BROKER.AUTH.integrationServerName
  • SYSTEM.BROKER.DC.AUTH
For information about setting permissions for queue-based authorization, see Setting queue-based permissions.

For more information about how to set the permissions that are required for using the web user interface, see Controlling access to data and resources in the web user interface.

When you have defined your roles and set the required permissions, you can assign web users to the appropriate role, and they acquire permissions through their assigned role.

Procedure

Complete these steps to grant access to web users based on their assigned role:

  1. Stop the integration node by using the web user interface or by running the mqsistop command.
  2. Enable administration security for the integration node by using the mqsichangeauthmode command, specifying your chosen authorization mode.
    For example, to enable administration security with the file-based authorization mode for the IB10NODE integration node, enter the following command:
    mqsichangeauthmode IB10NODE -s active -m file
    where -s active enables administration security for the integration node, and -m file specifies the file-based authorization mode.

    For more information, see Enabling administration security.

  3. Define the roles and their associated permissions. You can assign permissions to each role that you have identified; for example, you might decide that your web users can be categorized into two main roles: web administrators and web users. Define a role for each of these groups of users (for example, iibUsers and iibAdmins) with permissions that allow them to perform the required tasks, such as viewing or modifying resources:
    • If the integration node is configured to use file-based authorization (file mode) or LDAP authorization (ldap mode), you define the roles and associated permissions on the integration node by using the mqsichangefileauth command. For information about setting permissions for file-based authorization, see Setting file-based or LDAP-based permissions. For information about LDAP authorization, see Configuring authorization by using LDAP groups.
    • If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system for each role that you have identified. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
    For more information about setting the appropriate permissions, see Authorizing users for administration and Controlling access to data and resources in the web user interface.
  4. Use the mqsiwebuseradmin command to create your web user accounts and assign them to the appropriate roles.
    For more information, see mqsiwebuseradmin command. For more information about roles, see Role-based security. For information about authenticating web user accounts by using LDAP, see Enabling an integration node to use LDAP for authentication.
  5. Start the integration node by using the web user interface or the mqsistart command.