WebSphere Enterprise Service Bus for z/OS, Version 6.2.0 Operating Systems: z/OS


Access control

Access control refers to ensuring that an authenticated user has the permissions necessary to access resources or to perform a specific operation.

When a general user is authenticated to WebSphere® ESB, it is important for security that not every possible operation is available to that user. Allowing some users to perform certain tasks, while denying these tasks to other users, is termed access control.

Access control can be arranged for components that you develop to make them secure. You do this by using service component architecture qualifiers at development time. See the WebSphere Integration Developer Information Center for more information.

Some WebSphere ESB components, packaged as enterprise archive (EAR) files, secure their operation using J2EE role-based security. Details of these components are provided.

In contrast to J2EE role-based security, which secures the operation of components, role-based access control secures resources. For example, within Business Calendar Manager, you can specify the type of access that users have to individual timetables. You use the Security Manager in Business Space to specify, for each timetable, the owner of the timetable as well as those who have writer and reader access to the timetable.

The Business Process Choreographer and the Common Event Infrastructure are installed as part of WebSphere ESB. The role-based security associated with these components is outlined in detail in subsequent topics.

Details of these components are provided below.
Table 1. The .ear files and associated J2EE roles
EAR file J2EE Role User Assignment
BPCExplorer_scope WebClientUser All Authenticated
BPEContainer_scope BPEAPIUser All Authenticated
  BPESystemAdministrator Whatever was specified during configuration.
  BPESystemMonitor Whatever was specified during configuration.
  CleanupUser A user ID that was specified during configuration, or empty.
  JMSAPIUser The user ID that was specified during configuration.
BusinessSpaceManager Administrator All Authenticated
REST Services Gateway RestServicesUser All Authenticated
TaskContainer_scope TaskAPIUser All Authenticated
  TaskSystemAdministrator Whatever was specified during configuration. This must have the same assignment as BPESystemAdministrator.
  TaskSystemMonitor Whatever was specified during configuration. This must have the same assignment as BPESystemMonitor.
  EscalationUser The user ID that was specified during configuration.
  CleanupUser A user ID that was specified during configuration, or empty.
wpsFEMgr_6.2.0 WBIOperator Everyone
EventService (*) eventAdministrator All Authenticated
  eventConsumer All Authenticated
  eventUpdater All Authenticated
  eventCreator All Authenticated
  catalogAdministrator All Authenticated
  catalogReader All Authenticated
(*) EventService is a system application and is not listed in the administrative console under Enterprise Applications.

Depending on the deployment target, scope is either node_server or cluster.

In addition, applications make use of securityIdentity or RunAs roles as follows:
Table 2. The .ear files and associated RunAs roles
EAR file J2EE Role
BPEContainer_scope JMSAPIUser
  CleanupUser
TaskContainer_scope EscalationUser
  CleanupUser
Depending on the deployment target, scope is either node_server or cluster.

concept Concept topic

Terms of use | Feedback


Timestamp icon Last updated: 21 June 2010


http://publib.boulder.ibm.com/infocenter/dmndhelp/v6r2mx/topic//com.ibm.websphere.wesb620.zseries.doc/doc/csec_accesscontrol.html
Copyright IBM Corporation 2005, 2010. All Rights Reserved.
This information center is powered by Eclipse technology (http://www.eclipse.org).