Tasks and authorizations for administration security
If you enable integration node administration security, users require specific permissions so that they can complete administration tasks.
The following tables show the list of actions that a user can perform, and
the permissions that you must set to allow them to complete these tasks when administration security
is enabled. The permissions are required regardless of how the user requests the action; from a
custom integration application, the web user interface, or the IBM® Integration Toolkit.
Note: If you are using the web user interface for administration, then you must have
permission to view integration node properties in addition to the permissions required for
administering the integration node resources that are listed in the following table. If queue-based
security is enabled, a check is made on all SYSTEM.BROKER.AUTH queues to establish the permissions
that the user has. As a result of this check, AMQ8077 messages might be seen.
In addition to the permissions that are required for the tasks that are shown in the following tables, permissions are also required for connecting to the integration node. For more information, see Authorizing users for administration.
Task category | Tasks | MQ queue-based security | File-based or LDAP security | ||
---|---|---|---|---|---|
WebSphere® MQ queue | WebSphere MQ permission (set on setmqaut command) | Object flag (set on mqsichangefileauth command) | Permission (set on mqsichangefileauth command) | ||
Integration node | Set integration node properties | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | |
View integration node properties | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
Configurable services | Create or delete configurable services | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | |
Set configurable services properties | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | ||
View configurable services properties | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
Integration servers | Create or delete integration servers | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | |
Rename integration servers | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | ||
List integration servers | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
Start or stop integration servers | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH or SYSTEM.BROKER.AUTH.EG | +SET | -e integration_server | execute+ | ||
Set integration server properties | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +PUT | -e integration_server | write+ | ||
View integration server properties | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +INQ | -e integration_server | read+ | ||
Resource statistics | Start or stop resource statistics collection | SYSTEM.BROKER.AUTH | +INQ | read+ | |
SYSTEM.BROKER.AUTH.EG1 | +PUT | -e integration_server | write+ | ||
Report resource statistics | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG2 | +INQ | -e integration_server | read+ | ||
Message flows | Deploy | SYSTEM.BROKER.AUTH | +INQ | read+ | |
SYSTEM.BROKER.AUTH.EG | +PUT | -e integration_server | write+ | ||
List message flows and other deployed objects | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +INQ | -e integration_server | read+ | ||
Start or stop message flows | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +SET | -e integration_server | execute+ | ||
Delete resources from an integration server | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +PUT | -e integration_server | write+ | ||
Web user interface | Logon to the web user interface | SYSTEM.BROKER.AUTH | +INQ | read+ | |
Create, delete, or modify web users | SYSTEM.BROKER.AUTH | +PUT | write+ | ||
Changing a web user's password in the web user interface (supplying the old password) | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
Record and replay | View recorded data with record and replay (apart from bit stream and exception-list data) | SYSTEM.BROKER.AUTH, SYSTEM.BROKER.AUTH.EG,4 and SYSTEM.BROKER.DC.AUTH | +INQ | -e integration_server -o DataCapture |
read+ |
View recorded data with record and replay (bit stream or exception-list data) | SYSTEM.BROKER.DC.AUTH | +INQ | -o DataCapture | read+ | |
Replay data | SYSTEM.BROKER.DC.AUTH | +INQ +SET | -o DataCapture | read+,execute+ | |
Services | View or import an MQ service from the Integration Registry | SYSTEM.BROKER.AUTH | +INQ | read+ | |
Create or delete an MQ service in the Integration Registry | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | ||
Policies | View policies in the web user interface | SYSTEM.BROKER.AUTH | +INQ | read+ | |
Create, update, or delete policies in the web user interface | SYSTEM.BROKER.AUTH | +INQ +PUT | read+,write+ | ||
Attach a policy to an integration server | SYSTEM.BROKER.AUTH.EG | +INQ +PUT | -e integration_server | read+,write+ | |
Flow exerciser | Enable flow recording for a message flow | SYSTEM.BROKER.AUTH | +INQ | read+ | |
SYSTEM.BROKER.AUTH.EG | +PUT | -e integration_server | write+ | ||
View recorded messages for a message flow | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +INQ | -e integration_server | read+ | ||
Clear recorded messages for a message flow | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +PUT | -e integration_server | write+ | ||
Inject a recorded message into a message flow | SYSTEM.BROKER.AUTH | +INQ | read+ | ||
SYSTEM.BROKER.AUTH.EG | +SET | -e integration_server | execute+ |
Notes:
- If you are changing resource statistics collection for all integration servers on the integration node, you must grant execute authority for all integration servers.
- If you are reporting resource statistics collection for all integration servers on the integration node, you must grant read authority for all integration servers.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your integration server.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForView property that you specify in your DataCaptureStore configurable service.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForReplay property that you specify in your DataDestination configurable service.
- Where no object flag is specified on the mqsichangefileauth command, permissions are set at the level of the integration node.
If you grant a user ID authority at the integration node level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for integration servers. You must explicitly grant authority to all, or to individual, integration servers.