Authorizing users for administration

Authorize users to complete specific tasks against an integration node or server and its resources.

About this task

Three levels of permission are supported for IBM® App Connect Enterprise administration security: read, write, and execute. These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
  • Data resources (record-replay)
For more information about roles, see Role-based security.

You can enable administration security for an integration node or integration server, either by using the mqsichangeauthmode command, or by setting the security properties in the node.conf.yaml or server.conf.yaml configuration files.

If you enable administration security for an integration node, you can also choose which authorization mode (file-based, queue-based, or LDAP authorization) will be used for setting permissions. For independent integration servers (which are not managed by an integration node), you can specify file-based authorization or LDAP authorization.

You control access to an integration node (and the integration servers that it manages) by setting file-based or queue-based permissions, or LDAP authorization. You can set file-based permissions either by using the mqsichangefileauth command, or by setting properties in the node.conf.yaml configuration file. You can set queue-based permissions by using IBM MQ authorization queues on the queue manager that is specified on the integration node. You can set LDAP authorization by setting properties in the node.conf.yaml configuration file. For information about the permissions that are required for working with an integration node and its resources, see Permissions for acting on integration nodes, integration servers, and resources.

When you enable administration security for an integration node, the default mode of authorization depends on whether a queue manager is specified on the integration node. If a queue manager has been specified, authorization for the integration node is based on IBM MQ queues by default (mq mode), and the required queues used for setting authorization are created automatically when the integration node is created. If you create an integration node without specifying an associated queue manager, file-based authorization (file mode) is used by default.

You can control access to an independent integration server (which is not managed by an integration node) by using either file-based permissions, or LDAP authorization. You can set file-based permissions either by using the mqsichangefileauth command or by setting properties in the server.conf.yaml configuration file. You can set LDAP authorization by setting properties in the server.conf.yaml configuration file.

If you are using any IBM App Connect Enterprise functions that require access to IBM MQ, you must set the required permissions that enable the connection to be made to the queue manager that is specified on the integration node. For information about these permissions, see Permissions for connecting to a queue manager. When you have set the required permissions for connecting to the queue manager, you can set the permissions that authorize users to act on the integration node and its resources.

For information about authentication, see Authenticating users for administration.

Procedure

Complete the following steps to set the required authorization mode and to authorize users to work with an integration node or server and its resources:

  1. Ensure that administration security for the integration node or server is enabled and configured to use the required authorization mode, as described in Configuring administration security to use file-based, queue-based, or LDAP authorization.
    To find out which authorization mode is currently in effect, see Checking the authorization mode.
  2. If you are using queue-based administration security for an integration node, set the required permissions to enable users to connect to the IBM MQ queue manager.
    For information about these permissions, see Permissions for connecting to a queue manager.
  3. Set the required permissions to enable users to complete tasks on an integration node or server and its resources. For information about the permissions that are required, see Permissions for acting on integration nodes, integration servers, and resources.
    For information about how to set the permissions, see Setting file-based permissions, Setting queue-based permissions, and Configuring authorization by using LDAP groups.
  4. You can control web users' access to data and resources by assigning permissions to the role that the users are assigned to. For more information, see Controlling access to data and resources in the web user interface.