You can restrict the users who can view and replay
data for an integration node by enabling administration security and
setting permissions for specified roles.
Before you begin
Read the following topics:
About this task
If
you do not enable administration security, any user can complete any
action against the integration node and its resources. You can enable
administration security and specify the authorization mode for the
integration node by using the mqsichangeauthmode command.
Procedure
To enable security for record and replay, complete the
following steps:
- Stop the integration node by using the web user interface
or by running the mqsistop command.
- Enable administration security for the integration node
and specify an authorization mode by using the mqsichangeauthmode command.
For example, to enable administration security with the file-based
authorization mode for the IB10NODE integration node, enter the following
command:
mqsichangeauthmode IB10NODE -s active -m file
where
-s
active enables administration security for the integration
node, and
-m file specifies the file-based authorization
mode.
For more information, see Enabling administration security.
- Define the roles and their associated permissions:
- If the integration node is configured to use file-based authorization
(file mode), you define the roles and associated
permissions on the integration node, by using the mqsichangefileauth command.
For information about setting permissions for file-based authorization,
see Setting file-based or LDAP-based permissions.
- If the integration node is configured to use queue-based authorization
(mq mode), you must create a system user ID on
the operating system that is running your integration node. You must
then assign permissions to the system user ID, which is then used
as a role. For information about setting permissions for queue-based
authorization, see Setting queue-based permissions.
One or more web user IDs can be assigned to each role, and the
permissions that were granted to the role are automatically granted
to all web user IDs that are assigned to it. For more information,
see
Role-based security and
Managing web user accounts.
- To allow users with an assigned role to run record and
replay queries on the integration server, set the required permissions
for the role, using either file-based or queue-based permissions,
depending on the authorization mode that is set for the integration
node:
- If you are using file-based authorization, set
read+
permission
for the role for actions on the integration node and integration server.
For more information about file-based authorization, see Setting file-based or LDAP-based permissions.
- If you are using queue-based authorization, set
+inq
permission
for the role for actions on the queues SYSTEM.BROKER.AUTH and SYSTEM.BROKER.AUTH.EG. For more information about
queue-based authorization, see Setting queue-based permissions.
- You must also set the required permissions for data capture
to control the record and replay actions that users with a specified
role (such as
ibmuser
) can complete on the integration
node. Ensure that the role has the appropriate authorization to complete
the required actions, as described in Controlling access to data and resources in the web user interface.
- Create a web user account by using the mqsiwebuseradmin command, and
specify a role for the account. This account is the one that you will
use to log on to the web user interface for viewing and replaying
data.
- Start the integration node by using the web user interface
or the mqsistart command.
What to do next
To view data that has been recorded, see Viewing recorded data. To replay data that has been recorded,
see Replaying data.