Role-based security

You can control access to integration nodes, integration servers, and their resources through the web user interface, REST application programming interface (API), IBM® App Connect Enterprise Toolkit, and App Connect Enterprise commands, by associating users with roles.

A role is defined by a set of security permissions that control users' access to an integration node or integration server, and its associated resources.

As an integration administrator, you can control the access that web users have to integration nodes, integration servers, and resources, by assigning each user to a role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view integration server resources, while allowing users with another role to modify them.

You can grant the same permissions to multiple users by assigning them to the same role, but each user can be assigned to only one role.

You can configure integration nodes (and their associated integration servers) to use file-based authorization, queue-based authorization, or LDAP authorization. You can configure independent integration servers (which are not associated with an integration node) to use file-based authorization or LDAP authorization. For information about how to set the authorization mode, see Configuring administration security to use file-based, queue-based, or LDAP authorization.

If an integration node or an independent integration server is configured to use file-based authorization (file mode), you can grant permissions to a role either by using the -r role and -p permissions parameters of the mqsichangefileauth command, or by setting permissions in the node.conf.yaml or server.conf.yaml configuration files. For more information about file-based authorization, see Setting file-based permissions.

In file mode, if a user is assigned to a role that has no permissions defined, when that user attempts an action, a check is made to see whether the role name matches a local operating system user name. If there is a match (for example, both the role name and operating system user name are aceadmin), a check is made to see whether that user name is a member of the mqbrkrs group. If it is a member, permission is granted for all actions on all objects.

If an integration node is configured to use queue-based authorization (mq mode), you must create a system user name on the operating system on which your integration node is running. You then assign permissions to the system user name, and this set of permissions represents a role with a name that corresponds to the name of the system user name. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.

If an integration node or an independent integration server is configured to use LDAP authorization (ldap mode), you can grant permissions to a role by setting permissions in the node.conf.yaml or server.conf.yaml configuration files. For more information about LDAP authorization, see Configuring authorization by using LDAP groups.

You can create web user accounts and assign them to the appropriate roles by using the mqsiwebuseradmin command. For more information, see Managing web user accounts and Controlling access to data and resources in the web user interface.