WebSphere Enterprise Service Bus for z/OS, Version 6.2.0 Operating Systems: z/OS


Security for Business Calendar Manager

The Security Manager provides you with the ability to secure access to individual timetables in Business Calendar Manager. You use the Security Manager to assign roles to the members of an organization. It is these roles that determine the level of access to the timetables.

For each timetable within Business Calendar Manager, you can assign members to one of three roles–Owner, Writer, or Reader.

The Security Manager, which you use to administer role-based access control for Business Calendar Manager, is located in Business Space powered by WebSphere®.

This role-based access for Business Calendar Manager is based on XACML (eXtensible Access Control Markup Language), an open standard.

Benefits of using Security Manager

What are the advantages of using Security Manager for role-based access control in Business Calendar Manager?
  • You can control access to a specific instance of a timetable.

    For example, you can specify that a user has access only to the user's own timetable and that the user does not have the ability to look at or change anyone else's timetable.

  • Controlling access is done at the role level, instead of the individual user level.

    You map members to roles. It is the role that defines the permission members have to the specific instance of the resource.

Roles associated with a timetable

When a timetable is installed, three roles are created for that timetable–Owner, Writer, and Reader.

How would these roles be used? Consider the case of a holiday timetable used in an organization. You want all employees to have access to the timetable, but you want to limit the number of employees who can update the timetable.

When the Holiday timetable is installed, the following roles are created:
  • HolidayOwner

    Members assigned to this role can read the Holiday timetable and can also write to it. For example, if the company decided to add an extra holiday, a member with the HolidayOwner role would be able to make the change.

    Members of this role can also assign members to the HolidayWriter and HolidayReader role. For example, the HolidayOwner might decide to add a senior manager to the HolidayWriter role.

  • HolidayWriter

    Members assigned to this role can read the Holiday timetable and can also write to it. As in the case of the HolidayOwner, members of the HolidayWriter role could add the extra holiday.

  • HolidayReader

    Members assigned to this role can read the Holiday timetable but cannot write to it.

You might assign the HolidayOwner role to the Human Resources manager, the HolidayWriter role to the Human Resources Specialists group, and the HolidayReader role to the employee group, as shown in the following figure:
Figure 1. Example of roles assigned to a timetable
Illustration of roles assigned to various members of an organization.
When you deploy a timetable, the three roles–Owner, Writer, and Reader–are created. Permission for all roles is set initially to All Authenticated. Make sure that you change this designation to assign the members of the organization to the correct roles.
Note: You can change the membership of a role (for example, you can remove a member from the reader role), but you cannot change the name of a role, add or delete a role, or change the permissions associated with a role. The permissions are set as follows:
  • Members of the Owner role can read and write to the timetable and can assign other members to the Writer and Reader roles.
  • Members of the Writer role can read and write to the timetable.
  • Members of the Reader role can read the timetable.

In the Security Manager, these timetable-related roles are also known as module roles.

Security Manager administrative roles

When you restart the server after installing WebSphere ESB (or upgrading to WebSphere ESB 6.2), the following roles are created:
  • BPMAdmin

    BPMAdmin has the authority to add members to or remove members from the BPMRoleManager role.

    For example, if the person performing the BPMRoleManager role leaves the organization, only BPMAdmin can assign another member to that role.

    BPMAdmin is initially assigned to one member–the primary administrative user. Change this assignment to another member as soon as you restart the server after installation or upgrade.

  • BPMRoleManager

    BPMRoleManager has the authority to add members to or remove members from the three timetable-related roles-Owner, Writer, and Reader.

    For example, if a Holiday timetable is created, the BPMRoleManager assigns members to the HolidayOwner, HolidayWriter, and HolidayReader roles.

    BPMRoleManager is initially assigned to one member–the primary administrative user. Change this assignment to another member as soon as you restart the server after installation or upgrade.

Note: In the Security Manager, these roles are also known as system roles.

Setting up roles

After WebSphere ESB is installed, the following tasks should be performed in the Security Manager:
  1. The BPMAdmin reassigns the BPMRoleManager role.
  2. The BPMRoleManager assigns members to one of the three roles associated with the timetable.

See the help topic in the Security Manager for information about how to perform these tasks.


concept Concept topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.zseries.doc/doc/csec_rolebased.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).