IBM Integration Bus permissions and equivalent WebSphere MQ permissions
If you have enabled integration node administration security, you can give different permissions to user IDs to allow them to complete various actions against an integration node or its resources.
When a user requests an action against an integration node or an integration server, the integration node accesses the stored authorization information to check whether the user ID has the required permissions for that action against the target resource.
If queue-based administration security is enabled on the integration node, permissions are specified on authorization queues. Permission to perform an integration node administration task is mapped to a WebSphere® MQ authority associated with the relevant authorization queue, and is created and maintained by the integration administrator.
If file-based security or LDAP security is enabled on the integration node, permissions are specified using the mqsichangefileauth command, and can be created and maintained by user IDs that are members of the mqbrkrs group.
The mapping from integration node permission to WebSphere MQ permission is shown in the following table.
| Integration node permission | WebSphere MQ permission | MQ queue-based permission (using setmqaut) | File-based permission or LDAP permission (using mqsichangefileauth) |
|---|---|---|---|
| Read | Inquire | +INQ | read+ |
| Write | Put | +PUT | write+ |
| Execute | Set | +SET | set+ |
For information about the authorizations that are required for specific tasks, see Tasks and authorizations for administration security.
WebSphere MQ specific and generic profiles
WebSphere MQ supports both specific and generic profiles to manage WebSphere MQ permissions. When you enable queue-based administration security, you can create specific profiles to define WebSphere MQ permissions on SYSTEM.BROKER.AUTH and on one or more SYSTEM.BROKER.AUTH.EG queues (where EG is the name of a specific integration server).
You might want to grant a user, or group of users, authority to a number of integration servers, or perhaps all integration servers. You can use a WebSphere MQ generic profile to grant authority in this way. A generic profile defines authority to an existing set of integration servers, and all additional groups, that match the profile. A generic profile is one that uses special characters (wildcard characters) in the profile name, such as asterisks (*).
For example, if you want to create a generic profile to authorize access to all integration servers defined on the integration node, you can specify SYSTEM.BROKER.AUTH.**. If you want a profile for a set of integration servers with names that all start with the same character string, you can specify SYSTEM.BROKER.AUTH.TEST**.
For more information about WebSphere MQ generic profile wildcard characters, see Wildcards used in generic profiles, and for information about WebSphere MQ generic profile priorities, see Profile priorities in the WebSphere MQ Version 7.5 product documentation online.