Start of change
IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


Role-based security

You can control access to integration nodes, integration servers, and their resources through the web user interface, REST application programming interface (API), IBM® App Connect Enterprise Toolkit, and App Connect Enterprise commands, by associating users with roles.

A role is defined by a set of security permissions that control users' access to an integration node or integration server, and its associated resources.

As an integration administrator, you can control the access that web users have to integration nodes, integration servers, and resources, by assigning each user to a role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view integration server resources, while allowing users with another role to modify them.

You can grant the same permissions to multiple users by assigning them to the same role, but each user can be assigned to only one role.

You can configure integration nodes (and their associated integration servers) to use either file-based authorization or queue-based authorization. You can configure independent integration servers (which are not associated with an integration node) to use file-based authorization only. For information about how to set the authorization mode, see Configuring administration security to use file-based or queue-based authorization.

If an integration node or an independent integration server is configured to use file-based authorization (file mode), you can grant permissions to a role either by using the -r role and -p permissions parameters of the mqsichangefileauth command, or by setting permissions in the node.conf.yaml or server.conf.yaml configuration files. For more information about file-based authorization, see Setting file-based permissions.

In file mode, if a user is assigned to a role that has no permissions defined, when that user attempts an action, a check is made to see whether the role name matches a local operating system user name. If there is a match (for example, both the role name and operating system user name are aceadmin), a check is made to see whether that user name is a member of the mqbrkrs group. If it is a member, permission is granted for all actions on all objects.

If an integration node is configured to use queue-based authorization (mq mode), you must create a system user name on the operating system on which your integration node is running. You then assign permissions to the system user name, and this set of permissions represents a role with a name that corresponds to the name of the system user name. For example, the set of permissions that you define for a system user called ibmuser form a role called ibmuser. For information about setting permissions for queue-based authorization, see Setting queue-based permissions.

You can create web user accounts and assign them to the appropriate roles by using the mqsiwebuseradmin command. For more information, see Managing web user accounts and Controlling access to data and resources in the web user interface.


bn28480_.htm | Last updated 2018-11-02 14:46:30
End of change