Controlling access to data and resources in the web user interface

Integration administrators can control web users' access to data and integration node resources by assigning permissions to users based on their role.

Before you begin

Read the following topics:
- IBM Integration Bus web user interface
- Role-based security
Ensure that the web user interface has been configured. For more information, see Configuring the IBM Integration Bus web user interface.

About this task

Integration administrators can restrict web users' access to data and integration node resources only if administration security is enabled. If administration security is not enabled, web users can interact with the web user interface without logging on, which means that they can access the web user interface as the 'default' user and have access to all data and integration node resources.

To perform any administrative task from the web user interface when administration security is enabled, you must have permission to view properties on the integration node. For a full list administrative tasks and the permissions required, see Tasks and authorizations for administration security.

With administration security enabled, REST users can view only the URIs for which they are authorized. If administration security is disabled, all REST requests are unrestricted.

Note: When queue-based security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions that the user has. As a result of this check, AMQ8077 messages might be seen.

As an integration administrator, you can set permissions to restrict users' access based on the tasks that they are required to perform. Some example tasks and their associated permissions are shown in the following table:

Example access and actions	WebSphere® MQ queue-based permissions (set on the setmqaut command)	File-based permissions (set on the mqsichangefileauth command)
Allow data technicians to view only their own profiles and the Data viewer in the web user interface	+inq permission on SYSTEM.BROKER.DC.AUTH queue No permissions on SYSTEM.BROKER.AUTH queue	read+ permission on the DataCapture object
Allow web users to view and download recorded messages	+inq permission on SYSTEM.BROKER.DC.AUTH queue No permissions on SYSTEM.BROKER.AUTH queue	read+ permission on the DataCapture object
Allow web users to view, download, and replay recorded messages	+inq +set permission on the SYSTEM.BROKER.DC.AUTH queue No permissions on SYSTEM.BROKER.AUTH queue	read+,execute+ permission on the DataCapture object
Allow REST users to request information about messages recorded under a DataCaptureStore	+inq permission on the SYSTEM.BROKER.DC.AUTH queue No permissions on SYSTEM.BROKER.AUTH queue	read+ permission on the DataCapture object
Allow REST users to view and replay messages	+inq +set permission on the SYSTEM.BROKER.DC.AUTH queue No permissions on SYSTEM.BROKER.AUTH queue	read+,execute+ permission on the DataCapture object

Integration administrators can also allow web users to start and stop integration servers, applications, and message flows from the web user interface, by granting permissions to the roles with which the web users are associated.

For more information about role-based access, see Role-based security and Managing web user accounts.

Procedure

Enable administration security and configure the integration node to use file-based, queue-based, or LDAP authorization.
For more information, see Enabling administration security.
Define the roles and their associated permissions. You can assign permissions to each role that you have identified; for example, you might decide that your web users can be categorized into two main roles: web administrators and web users. Define a role for each of these groups of users (for example, iibUsers and iibAdmins) with permissions that allow them to perform the required tasks, such as viewing or modifying resources:
- If the integration node is configured to use file-based authorization (file mode), you define the roles and associated permissions on the integration node, by using the mqsichangefileauth command. For information about setting permissions for file-based authorization, see Setting file-based or LDAP-based permissions.
- If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system for each role that you have identified. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
- If the integration node is configured to use LDAP authorization (ldap mode), you define the roles and associated permissions on the integration node, by using the mqsichangefileauth command. For information about setting permissions for LDAP authorization, see Configuring authorization by using LDAP groups.
For more information about setting the appropriate permissions, see Authorizing users for administration.
Use the mqsiwebuseradmin command to create your web user accounts and assign them to the appropriate roles.
For more information, see mqsiwebuseradmin command. For more information about roles, see Role-based security.