IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


Commands and authorizations for administration security

If you have enabled administration security, users require specific permissions to be able to run the administration commands.

The following table shows the list of commands, and the permissions that you must set up before users can run them.
Command MQ queue-based security File-based security
WebSphere® MQ Queue6 MQ permission (set on setmqaut command) Object flag (set on mqsichangefileauth command)7 File permission (set on mqsichangefileauth command or in a .yaml configuration file)

SYSTEM.BROKER.AUTH.EG1

+SET -e integration_server1 execute+
mqsicreateexecutiongroup

SYSTEM.BROKER.AUTH

+INQ +PUT   read+,write+
mqsideleteexecutiongroup

SYSTEM.BROKER.AUTH

+INQ +PUT   read+,write+
mqsideploy

SYSTEM.BROKER.AUTH

+INQ   read+

SYSTEM.BROKER.AUTH.EG

+PUT -e integration_server write+
mqsilist

SYSTEM.BROKER.AUTH

+INQ   read+

SYSTEM.BROKER.AUTH.**2

+INQ -e integration_server2 read+
mqsimode

SYSTEM.BROKER.AUTH

+INQ (to display)
+INQ +PUT (to modify)

 

read+ (to display)
read+,write+ (to modify)

SYSTEM.BROKER.AUTH.EG

+INQ -e integration_server read+

SYSTEM.BROKER.AUTH.**3

+PUT -e integration_server3 write+

SYSTEM.BROKER.AUTH.EG4

+INQ -e integration_server4 read+

SYSTEM.BROKER.AUTH.EG

+SET -e integration_server execute+

SYSTEM.BROKER.AUTH.EG

+SET -e integration_server execute+
mqsiwebuseradmin

SYSTEM.BROKER.AUTH

+PUT   write+
Notes:
  1. If you are changing resource statistics collection for all integration servers on the integration node, you must have execute permission for all integration servers.
  2. You must have read permission for every integration node and every integration server for which you are requesting information. If you request details about a resource for which you do not have the required permissions, message BIP1185S is returned to identify each resource with inappropriate permissions: The command completes the request and returns results for all the resources for which permissions are correct.
  3. Where SYSTEM.BROKER.AUTH.** is specified, the user ID running the command must have permissions for all integration servers. You can set up this level of authority by either creating a generic profile for all integration servers, or a specific profile for every integration server.
  4. If you are reporting resource statistics collection for all integration servers on the integration node, you must have read permission for all integration servers.
  5. In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your integration server.
  6. Where no object flag is specified, the permissions are set at the level of the integration node.

Only the commands that are listed in this table are subject to administration security.

Note: The permissions that are listed in this table are in addition to the permission required to run the command on specific platforms. Refer to the following topics for information about platform-specific permissions:

bp43540_.htm | Last updated 2018-11-02 14:46:32