Managing web user accounts

IBM® App Connect Enterprise administrators can use the mqsiwebuseradmin command to create a new web user, to set, or change a web user's password, to remove a web user or to assign a web user to a role.

Before you begin

Read the following topics:

About this task

If administration security is enabled, web users can access the web user interface only when they log on using their web user account. As an administrator, you can create multiple roles, with different permissions assigned to them. You can then assign one or more web users to a role. The web users access to data and resources is controlled by the permissions that are set for their role. For more information, see Role-based security.

If administration security is not enabled, web users can interact with the web user interface without logging on. They interact with the web user interface as the 'default' user and can access all data and resources.

If the integration node or integration server is configured to use file-based authorization, you assign permissions to the role by using the mqsichangefileauth command or in the node.conf.yaml or server.conf.yaml configuration file. Permissions are set for the integration node or integration server, and the data capture object. For more information about setting permissions for file-based authorization, see Setting file-based permissions.

If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system that is running your integration node. This system user is then used as a role, and you assign permissions to it by setting them on the following authorization queues:
  • SYSTEM.BROKER.AUTH
  • SYSTEM.BROKER.AUTH.integrationServerName
  • SYSTEM.BROKER.DC.AUTH
For more information about setting permissions for queue-based authorization, see Setting queue-based permissions.

If the integration node or integration server is configured to use LDAP authorization, you assign permissions to the role by configuring node.conf.yaml or server.conf.yaml configuration file. Permissions are set for the integration node or integration server. For information about setting permissions for LDAP authorization, see Configuring authorization by using LDAP groups.

For more information about how to set the permissions that are required for using the web user interface, see Controlling access to data and resources in the web user interface.

When you define your roles and set the required permissions, you can assign web users to the appropriate role, and they acquire permissions through their assigned role.

Procedure

Complete these steps to grant access to web users based on their assigned role:

  1. Stop the integration node or integration server for which you are configuring administration security.
  2. Enable administration security for the integration node or server by using the mqsichangeauthmode command, or in the node.conf.yaml or server.conf.yaml configuration file, specifying your chosen authorization mode.
    For example, to enable administration security with the file-based authorization mode for the ACE11NODE integration node, enter the following command.
    mqsichangeauthmode ACE11NODE -s active -m file
    where -s active enables administration security for the integration node, and -m file specifies the file-based authorization mode.
    The following example enables authentication only (not authorization) on an independent integration server whose work path is specified by the -w parameter:
    mqsichangeauthmode -w myIntegrationServerWorkpath -b active

    For more information, see mqsichangeauthmode command and Enabling administration security.

  3. Define the roles and their associated permissions. You can assign permissions to each role that you identify. For example, you might decide that your web users can be categorized into two main roles: web administrators and web users. Define a role for each of these groups of users (for example, ACEUsers and ACEAdmins) with permissions that allow them to complete the required tasks, such as viewing or modifying resources:
    • If the integration node or server is configured to use file-based authorization (file mode), you define the roles and associated permissions by using the mqsichangefileauth command or in the node.conf.yaml or server.conf.yaml configuration file. For more information about setting permissions for file-based authorization, see Setting file-based permissions.
    • If the integration node is configured to use queue-based authorization (mq mode), you must create a system user ID on the operating system for each role that you identify. You must then assign permissions to the system user ID, which is then used as a role. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
    • If the integration node or server is configured to use LDAP authorization (ldap mode), you define the roles and associated permissions by configuring the node.conf.yaml or server.conf.yaml configuration file. For information about setting permissions for LDAP authorization, see Configuring authorization by using LDAP groups.
    For more information about setting the appropriate permissions, see Authorizing users for administration and Controlling access to data and resources in the web user interface.
  4. Use the mqsiwebuseradmin command to create your web user accounts and assign them to the appropriate roles.
    For more information, see mqsiwebuseradmin command. For more information about roles, see Role-based security. For more information about authenticating web user accounts by using LDAP, see Enabling LDAP authentication by using the mqsichangeproperties command.

    If you add a local password by using the -a parameter, and LDAP authentication is enabled, the local password is ignored. When LDAP authentication is enabled, all web user logins must be authenticated by using LDAP. Any local passwords are ignored.

  5. Restart the integration node or integration server for the changes to take effect.