There are several factors to consider when you are deciding which users can execute App Connect Enterprise commands, and which users can control security for your resources.
Although most security for App Connect Enterprise and its resources is optional, you might find it appropriate to restrict the tasks that some user IDs can perform. You can then apply greater control to monitor changes.
You can control all IBM® App Connect
Enterprise administration
tasks by enabling administration security. You can enable administration
security and specify the authorization mode, either by setting the adminSecurity and authMode properties
in the node.conf.yaml configuration file for
the integration node, or by using the mqsichangeauthmode command.
This task is described in Enabling administration security, and
is independent of the tasks described in this section.
When you are deciding which users are to perform the different tasks, consider the following steps:
On a Linux or UNIX operating system, when you run the mqsistart command with a user ID that is a member of the mqm and mqbrkrs groups, the user ID under which you run the mqsistart command becomes the user ID under which the integration node process runs.
On the Windows platform, the integration node runs under a service user account. To decide which user ID to use for the service ID, answer the following questions:
Note that for cases one and two above, the user ID chosen must be granted the Logon as a service privilege.
This is normally done automatically by the mqsichangebroker command or the mqsichangeproperties command when a service user ID is specified that does not have this privilege.
However, if you want to do this manually before running these commands, you can do this by using the Local Security Policy tool in Windows, which you can access by selecting .
If you are using the queue-based authorization mode for the integration node (mq mode), the local mqbrkrs group is granted access to internal queues whose names begin with the characters SYSTEM.BROKER. If you are using the file-based authorization mode, the local mqbrkrs group is granted read, write, and execute permissions on the integration node for running local mqsi commands. Ensure that user IDs requiring these permissions are members of the mqbrkrs group.
Integration node operation depends on the information in the integration node registry, which you must secure to guard against accidental corruption. The integration node registry is stored on the file system under the work path directory, which is specified by the MQSI_WORKPATH environment variable. Set your operating system security options so that only user IDs that are members of the group mqbrkrs can read from or write to integrationNodeName/CurrentVersion and all subkeys.