Start of change
IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


Setting file-based permissions

Grant and revoke administration authority by configuring file-based permissions for working with an integration node or integration server and resources.

Before you begin

About this task

You can grant and revoke administration authority for an integration node (and its managed integration servers) or for an independent integration server (which is not managed by an integration node), by configuring file-based permissions for specified roles. You can configure these permissions either by using the mqsichangefileauth command, or by setting properties in the node.conf.yaml or server.conf.yaml configuration file for the integration node or server.

You can use file-based permissions for authorization only if the file-based mode of administration security has been specified for the integration node or server.

To specify an authorization mode for an integration node or independent integration server, you can either use the mqsichangeauthmode command or set the authMode property in the node.conf.yaml or server.conf.yaml configuration file.

Three levels of authorization permissions are supported for IBM® App Connect Enterprise administration security: read, write, and execute. You can assign permissions to a role (system user) by specifying the type of permission followed by a plus (+) to grant permissions, or a minus (-) to revoke permissions: 
  • read+/-
  • write+/-
  • execute+/-
  • all+/-
These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources
Set file-based permissions for your integration node or integration server by completing one of the following tasks:

Setting permissions in the node.conf.yaml or server.conf.yaml configuration file

About this task

You can configure authorization for an integration node (and its managed integration servers) or for an independent integration server, by setting permissions for roles in the Security section of the node.conf.yaml or server.conf.yaml configuration file.
You can define a role and grant or deny permissions to it, by specifying them in the .yaml file. In the following example, the role called viewRole has been granted read permission only, and the role called adminRole has been granted permission for all actions. For example:
Permissions:
    viewRole:  'read+:write-:execute-'
    adminRole: 'all+'

Procedure

Configure the authorization mode for an integration node or server by completing the following steps:

  1. Stop the integration node or server by using the web user interface or the IBM App Connect Enterprise Toolkit.
  2. Open the node.conf.yaml or server.conf.yaml configuration file for your integration node or server, by using a YAML editor.

    If you do not have access to a YAML editor, you can edit the file by using a plain text editor; however, you must ensure that you do not include any tab characters, because they are not valid in YAML and would cause your configuration to fail. If you are using a plain text editor, ensure that you use a YAML validation tool to validate the content of your file.

  3. If administration security has not already been enabled, enable it now by activating the basicAuth and adminSecurity properties in the node.conf.yaml or server.conf.yaml file:
    basicAuth: true
    adminSecurity: active
  4. Specify the file-based authorization mode, by setting the authMode property to file:
    authMode: file
  5. Define the role and set its permissions, by specifying a combination of read, write, and execute, or all, with + to grant permission, and - to deny permission; for example:
    viewOnly:  'read+:write-:execute-'
    aceAdmin:     'all+'
    where the viewOnly role has only read permission, and the aceAdmin role has permission for all actions.
  6. Save the modified file.
  7. Restart the integration node or server for the changes to take effect.

Setting permissions by using the mqsichangefileauth command

About this task

You specify the permissions as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.

Procedure

Follow these steps to set permissions for a role:

  1. Ensure that administration security has been enabled for the integration node. For more information, see Enabling administration security.
  2. Use the mqsichangefileauth command to change the permissions that are assigned to a role. For example, the following command shows how to set permissions on an integration server that is associated with an integration node:
    mqsichangefileauth ACE11NODE -r aceAdmins -e default -p read+,execute+
    In this example, the role aceAdmins is granted execute and read permission on ACE11NODE.default (the default integration server on the ACE11NODE integration node). If this role did not previously exist, the write permission is disabled.
    The following example shows how to set permissions on an independent integration server (which is not managed by an integration node):
    mqsichangefileauth -w server_workpath -r aceAdmins -e default -p read+,execute+
  3. If you are using the web user interface for administration, log off and log on again to refresh the web user interface to reflect the new permissions. If permissions have been revoked, the change takes effect immediately and actions requiring that permission fail because access is denied.

What to do next

For information about authentication, see Authenticating users for administration.


bn28616_.htm | Last updated 2018-11-02 14:46:30
End of change