Role-based security

You can control access to integration node resources through the web user interface and REST application programming interface (API), by associating web users with roles.

A role is defined by a set of security permissions that control users' access to an integration node and its resources.

As an integration administrator, you can control the access that web users have to integration node resources, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions, by enabling or disabling aspects of the web or REST interface, or by configuring the web user interface to display only the options for which users are authorized. For example, you might allow users with one role to view integration node resources, while allowing users with another role to modify them.

Using file-based authorization or queue-based authorization, you can grant the same permissions to multiple users by assigning them to the same role, but each user can be assigned to only one role. Using LDAP authorization, you can grant the same permissions to multiple users, and each user can be assigned to multiple roles.

For commands that are run locally, and for a locally connected Toolkit, the system user ID that is running the command or the Toolkit is passed to the integration node, where it is used as the role name.

If an integration node is configured to use file-based authorization (file mode) or LDAP authorization (ldap mode), you grant permissions to a role by using the -r role parameter of the mqsichangefileauth command. If no permissions are granted to a role, a check is conducted to see whether the role name matches a system user ID name. If the command is a local mqsi command and run by a system user ID that is a member of the mqbrkrs group, permission is granted for all actions on all objects. For more information about file-based authorization, see Setting file-based or LDAP-based permissions. For more information about LDAP authorization, see Configuring authorization by using LDAP groups.

If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.

You can create web user accounts and assign them to the appropriate roles by using the mqsiwebuseradmin command. For more information, see Managing web user accounts and Controlling access to data and resources in the web user interface.