Setting file-based permissions
Grant and revoke administration authority by configuring file-based permissions for working with an integration node and its resources or and integration server and its resources.
Before you begin
About this task
You can grant and revoke administration authority for an integration node and its managed integration servers, or for an independent integration server, by configuring file-based permissions for specified roles. You can configure these permissions by using the mqsichangefileauth command, or by setting properties in the node.conf.yaml file (for an integration node and its managed integration servers) or in the server.conf.yaml file (for an independent integration server).
You can use file-based permissions for authorization if the file-based or LDAP-based mode of administration security has been specified for the integration node or server. For LDAP authorization, you must associate a role with the LDAP groups to which the user belongs, and then set file-based permissions for that role. For more information, see Configuring authorization by using LDAP groups.
To specify an authorization mode for an integration node (and its managed integration servers) or an independent integration server, you can either use the mqsichangeauthmode command or set the authorizationEnabled and authorizationMode properties in the node.conf.yaml or server.conf.yaml configuration file.
- read+/-
- write+/-
- execute+/-
- all+/-
- Integration node resources
- Integration server resources
- Data objects (record-replay)
Setting permissions in the node.conf.yaml configuration file or server.conf.yaml configuration file
About this task
viewRole
has been granted read permission only, and the role called
adminRole
has been granted permission for all actions.
Permissions:
viewRole: 'read+:write-:execute-'
adminRole: 'all+'
Procedure
Configure the authorization mode for an integration node or server by completing the following steps:
Setting permissions by using the mqsichangefileauth command
About this task
You specify the permissions as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.
Procedure
Follow these steps to set permissions for a role:
What to do next
For information about authentication, see Authenticating users for administration.