IBM App Connect Enterprise, Version 11.0.0.2 Operating Systems: Windows, Linux


mqsichangefileauth command

Use the mqsichangefileauth command to authorize users to complete specific tasks against resources for an integration node or integration server.

Supported platforms

  • Windows systems.
  • Linux and UNIX systems.

Purpose

Use the mqsichangefileauth command to grant and revoke administration authority by setting file-based permissions for specified roles. Administrators can control the access that web users have to resources of an integration node or integration server, by assigning each user to a predefined role. You can authorize users with a particular role to complete specific actions; for example, you might allow users with one role to view resources, while allowing users with another role to modify them. For more information about roles, see Role-based security.

You can use the mqsichangefileauth command only if the file-based mode of administration security has been specified for the integration node or integration server. Use the mqsichangeauthmode command to change the administration security mode, and the mqsireportauthmode command to see which security mode is currently in effect. For information about specifying the administration security mode, see Configuring administration security to use file-based or queue-based authorization.

Three levels of authorization are supported for IBM App Connect Enterprise administration security: read, write, and execute. These permissions can be applied to each role for the following types of objects: 
  • Integration node resources
  • Integration server resources

Syntax

Read syntax diagramSkip visual syntax diagram
>>-mqsichangefileauth--+-integrationNodeName-+-- -r --role------>
                       '- -w --workpath------'               

>--+-------------------+-- -p --permissions--------------------><
   +- -e --server_name-+                      
   '- -o --object------'                      

Parameters

integrationNodeName
(Required for an integration node or dependent integration server) The name of the integration node to which the security permissions will apply.

 

-w workpath
(Required for an independent integration server) This parameter specifies the work directory for the integration server to which the security permissions will apply.
-r role
(Required) The role for which the permissions are to be set.

 

-e server_name
(Optional) Specifies the integration server, within an integration node, to which the security permissions will apply. If you specify this parameter, you must specify the integration node name, and cannot specify an object (resource) using the -o parameter.

 

-o object
(Optional) Specifies the object (resource) name for which the security settings will be set. The valid value for this command is DataCapture. If you specify this parameter, you cannot specify a server name using the -e parameter.

 

-p permissions
(Required) Specifies the permissions that are set for the specified role:
  • integrationNodeName
  • integrationNodeName.integrationServerName
  • integrationNodeName.object
The following values are valid for this command:
  • read+/-
  • write+/-
  • execute+/-
  • all+/-

The permissions are specified as a comma-separated list of values. A value can be specified for each permission (read, write, and execute) only once in the list of values. For example, you cannot specify all-,read+ because it would be attempting to set the read permission twice (once explicitly, and once as part of all). If all is specified, it must be the only value. If you specify all-, all permission records in the registry are removed.

 

Responses

In addition to standard command responses, the following responses are returned by this command.
  • BIP8060 The mqsichangefileauth command changes the security permissions for a specified resource
  • BIP8061 The supplied resource is not valid as a resource specifier

Authorization

For information about platform-specific authorizations, see the following topics: If you have enabled integration node administration security, you must also set up the authority that is detailed in Tasks and authorizations for administration security.

Examples

Always enter the command on a single line; in some examples, line breaks have been added to enhance readability.

In the following example, the role aceAdmins is granted execute and read permission on ACE11NODE.default (the default integration server on the ACE11NODE integration node). If this role did not previously exist, the write permission is disabled. If this role previously existed, the write permission is unchanged from its previous setting.
mqsichangefileauth ACE11NODE -r aceAdmins -e default -p read+,execute+
Start of changeIn the following example, the role aceAdmins is granted read, execute, and write permission for all resources in the independent integration server whose work path is specified by the -w parameter:
mqsichangefileauth -w myIntegrationServerWorkPath -r aceAdmins -p all+
End of change
In the following example, all permissions are removed for the role aceAdmins for resources in the ACE11NODE integration node, and the access control list for aceAdmins in the ACE11NODE integration node is deleted:
mqsichangefileauth ACE11NODE -r aceAdmins -p all-
You can confirm that the entry has been deleted by using the mqsireportfileauth command:
mqsireportfileauth ACE11NODE -l

bn28610_.htm | Last updated 2018-11-02 14:46:30