Administration security controls users' permissions to access integration nodes, integration servers, and their resources, and to complete administrative tasks.
Administration security is an optional feature of IBM® App Connect Enterprise; it is not enabled by default. You can enable authentication and select the required authorization mode, either by using the mqsichangeauthmode command or by setting properties in the server.conf.yaml or node.conf.yaml configuration files. For more information, see Enabling administration security.
You can control users' access to integration nodes, integration servers, and their resources by associating users with roles. A role is a set of security permissions that control access to runtime components and resources, and each user account is associated with a particular role. The permissions are checked to determine a user's authorization to perform tasks through the web user interface, REST API, IBM App Connect Enterprise Toolkit, and IBM App Connect Enterprise commands. For more information about roles, see Role-based security, and for information about how to create and assign roles to web users, see Managing web user accounts.
Authentication
For these administration interfaces, authentication is performed by App Connect Enterprise. To use App Connect Enterprise to authenticate a user, you create a web user account with a local password. The user ID and password are then checked against the credentials that are held in the system.
For more information about the authentication support that is provided by IBM App Connect Enterprise, see Authenticating users for administration.
Authorization
Authorization is the process of controlling users' access to resources, by verifying that they have the required permissions to carry out the requested actions against the specified resources.
When administration security is enabled, you can control users' access to integration nodes, integration servers, and resources, by setting permissions that allow user IDs associated with specified roles to perform actions on specified resources. App Connect Enterprise checks the authorizations when it receives a request to view or change its properties or resources. If the user ID associated with the request is not authorized, the request is denied. Permissions are checked for all actions performed by users of the following interfaces:
For additional authorization required for these commands, see Commands and authorizations for administration security.
You can run all commands that are not stated here only on the computer on which the integration node or server is running. When you run any unlisted commands, the user ID that is used to run the commands must be a member of the security group mqbrkrs, or it must be the same user ID that is running the integration node or server.
Users of the web user interface and the IBM App Connect Enterprise Toolkit who do not have read, write, and execute permissions for the integration node or integration servers, have only restricted access to those resources.
For integration nodes and their managed integration servers, two modes of authorization are supported: file-based authorization (file mode) and queue-based authorization (mq mode). You can enable administration security for an integration node and specify the required authorization mode, either by using the mqsichangeauthmode command, as described in Configuring authorization by using the mqsichangeauthmode command, or by setting properties in the integration node's node.conf.yaml configuration file, as described in Configuring authorization for an integration node by modifying the node.conf.yaml file.
For independent integration servers, file-based authorization (file mode) only is supported. You can enable administration security for an independent integration server (which is not managed by an integration node), either by using the mqsichangeauthmode command as described in Configuring authorization by using the mqsichangeauthmode command, or by setting properties in the integration server's server.conf.yaml configuration file, as described in Configuring authorization for an integration server by modifying the server.conf.yaml file.
If an integration node or server is configured to use file-based authorization, you can grant permissions to a role by using the mqsichangefileauth command, or by setting permissions in the node.conf.yaml or server.conf.yaml configuration file. For more information, see and Setting file-based permissions.
If no permissions are found for the role name, a check is conducted to see if the role name matches a system user ID. If a matching system user ID exists, and if it is a member of the mqbrkrs group, full permissions are given.
Read, write, and execute authorities are granted automatically to the user group mqbrkrs on the SYSTEM.BROKER.AUTH queue.
When you create an integration server on an integration node for which you have enabled security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created, where EG is the name of the integration server. Read, write, and execute authorities are automatically granted to the user group mqbrkrs on this queue.
If the integration node is configured to use queue-based authorization, you must create a system user ID on the operating system on which your integration node is running. You then assign permissions to the system user ID, and this set of permissions represents a role with a name that corresponds to the name of the system user ID. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.
For more information about the authorization support provided by IBM App Connect Enterprise, see Authorizing users for administration and Role-based security.
See the following topics for more information about security permissions: