IBM Support

IT32918: KC ARTICLES UNCLEAR THAT SECURITY ROLES ARE NOT INHERITED BY NEWINTEGRATION SERVERS WHEN USING FILE OR LDAP SECURITY.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • The knowledge center articles that discuss role-based security
    do not make it sufficiently clear that newly created integration
    servers do not inherit any roles that are defined on the
    integration node. When an integration server is created and file
    or LDAP security is active then no roles will be defined on this
    new integration server. The roles defined on the integration
    node are not inherited by the integration server.
    
    The article "Configuring authorization for an integration node
    by modifying the node.conf.yaml file" (bn28624) in the ACE v11
    knowledge center contains a statement saying
    
    "If you set permissions for the integration node, the settings
    are inherited by each of its managed integration servers that
    have not had specific permissions set. Any permissions that are
    set for named integration servers will override those that are
    set on the integration node."
    
    This is not correct and should instead read:
    
    "Every integration server managed by this integration node will
    pick up the appropriate permissions section from the
    node.conf.yaml unless it has a permissions section in its own
    server.conf.yaml. An integration server will not inherit
    permission settings defined for the integration node itself."
    
    The analogous article in the IIB v10 knowledge center entitled
    "Setting file-based or LDAP-based permissions" (bn28616) does
    correctly state that permissions set on the integration node are
    not applied to the integration servers.
    
    The article "Permissions for acting on integration nodes,
    integration servers, and resources" (bn28620) in the ACE v11 and
    IIB v10 knowledge centers discuss that when using queue-based
    security a newly created integration server will automatically
    grant access to members of the mqbrkrs group. These articles do
    not discuss the case of file or LDAP security where the newly
    created integration server will have no permissions defined and
    should be rectified to reflect this.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All users of file or LDAP administration security in IBM
    Integration Bus v10 and IBM App Connect Enterprise v11.
    
    
    Platforms affected:
    z/OS, MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    The knowledge center articles that discuss role-based security
    does not make it sufficiently clear that newly created
    integration servers do not inherit any roles that are defined on
    the integration node. When an integration server is created and
    file or LDAP security is active then no roles will be defined on
    this new integration server. The roles defined on the
    integration node are not inherited by the integration server.
    
    The article "Configuring authorization for an integration node
    by modifying the node.conf.yaml file" (bn28624) in the ACE v11
    knowledge center contains a statement saying
    
    "If you set permissions for the integration node, the settings
    are inherited by each of its managed integration servers that
    have not had specific permissions set. Any permissions that are
    set for named integration servers will override those that are
    set on the integration node."
    
    This is not correct and should instead read:
    
    "Every integration server managed by this integration node will
    pick up the appropriate permissions section from the
    node.conf.yaml unless it has a permissions section in its own
    server.conf.yaml. An integration server will not inherit
    permission settings defined for the integration node itself."
    
    The analogous article in the IIB v10 knowledge center entitled
    "Setting file-based or LDAP-based permissions" (bn28616) does
    correctly state that permissions set on the integration node are
    not applied to the integration servers.
    
    The article "Permissions for acting on integration nodes,
    integration servers, and resources" (bn28620) in the ACE v11 and
    IIB v10 knowledge centers discuss that when using queue-based
    security a newly created integration server will automatically
    grant access to members of the mqbrkrs group. These articles do
    not discuss the case of file or LDAP security where the newly
    created integration server will have no permissions defined and
    should be rectified to reflect this.
    

Problem conclusion

  • The Knowledge Center articles have been updated to reflect these
    behaviours.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT32918

  • Reported component name

    INTEGRATION BUS

  • Reported component ID

    5724J0540

  • Reported release

    A00

  • Status

    CLOSED DOC

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-05-19

  • Closed date

    2020-10-19

  • Last modified date

    2020-10-19

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0"}]

Document Information

Modified date:
20 October 2020