WebSphere Message Broker, Version 8.0.0.7
Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS
See information about the latest product version
See information about the latest product version
Tasks and authorizations for administration security
If you have enabled broker administration security, users require specific authority so that they can complete administration tasks.
The following
table shows the list of actions that a user can perform, and the authorizations
that you must set to allow them to complete these tasks when broker
administrative security is enabled. The authority is required regardless
of the way in which the user requests the action; from a CMP API application, the WebSphere® Message Broker Explorer, or the WebSphere Message Broker Toolkit.
In addition
to the permissions for the specific tasks that are shown in the following
table, you must also be able to connect to the broker. For more information,
see Authorizing users for administration. Web users also require the
following permissions to use the web user interface:
- GET and PUT authority on the queue SYSTEM.BROKER.WEBADMIN.SUBSCRIPTION
- SUBSCRIBE and PUBLISH authority on the topic SYSTEM.BROKER.MB.TOPIC
Task category | Tasks | Authorization | Queue |
---|---|---|---|
Broker | Set broker properties | Read and write | SYSTEM.BROKER.AUTH |
View broker properties | Read | SYSTEM.BROKER.AUTH | |
Configurable services | Create or delete configurable services | Read and write | SYSTEM.BROKER.AUTH |
Set configurable services properties | Read and write | SYSTEM.BROKER.AUTH | |
View configurable services properties | Read | SYSTEM.BROKER.AUTH | |
Execution groups | Create or delete execution groups | Read and write | SYSTEM.BROKER.AUTH |
Rename execution groups | Read and write | SYSTEM.BROKER.AUTH | |
List execution groups | Read | SYSTEM.BROKER.AUTH | |
Start or stop execution groups | Read | SYSTEM.BROKER.AUTH | |
Execute | SYSTEM.BROKER.AUTH or SYSTEM.BROKER.AUTH.EG | ||
Set execution group properties | Read | SYSTEM.BROKER.AUTH | |
Write | SYSTEM.BROKER.AUTH.EG | ||
View execution group properties | Read | SYSTEM.BROKER.AUTH | |
Read | SYSTEM.BROKER.AUTH.EG | ||
Resource statistics | Start or stop resource statistics collection | Read | SYSTEM.BROKER.AUTH |
Execute | SYSTEM.BROKER.AUTH.EG1 | ||
Report resource statistics | Read | SYSTEM.BROKER.AUTH | |
Read | SYSTEM.BROKER.AUTH.EG2 | ||
Message flows | Deploy | Read | SYSTEM.BROKER.AUTH |
Write | SYSTEM.BROKER.AUTH.EG | ||
List message flows and other deployed objects | Read | SYSTEM.BROKER.AUTH | |
Read | SYSTEM.BROKER.AUTH.EG | ||
Start or stop message flows | Read | SYSTEM.BROKER.AUTH | |
Execute | SYSTEM.BROKER.AUTH.EG | ||
Delete resources from an execution group | Read | SYSTEM.BROKER.AUTH | |
Write | SYSTEM.BROKER.AUTH.EG | ||
Web user interface | Logon to the web user interface | Read | SYSTEM.BROKER.AUTH |
Create, delete, or modify web users | Write | SYSTEM.BROKER.AUTH | |
Changing a web user's password in the web user interface (supplying the old password) | Read | SYSTEM.BROKER.AUTH | |
Record and replay | View recorded data with record and replay (apart from bit stream and exception-list data) | Read | SYSTEM.BROKER.AUTH, SYSTEM.BROKER.AUTH.EG,4 and SYSTEM.BROKER.DC.AUTH |
View recorded data with record and replay (bit stream or exception-list data) | Read | SYSTEM.BROKER.DC.AUTH | |
Replay data | Read and execute | SYSTEM.BROKER.DC.AUTH |
Notes:
- If you are changing resource statistics collection for all execution groups on the broker, you must grant execute authority for all execution groups.
- If you are reporting resource statistics collection for all execution groups on the broker, you must grant read authority for all execution groups.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the name of your execution group.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForView property that you specify in your DataCaptureStore configurable service.
- In the queue name SYSTEM.BROKER.AUTH.EG, the EG refers to the value of the egForReplay property that you specify in your DataDestination configurable service.
If you grant a user ID authority at the broker level (on queue SYSTEM.BROKER.AUTH), it does not inherit authority for execution groups. You must explicitly grant authority to all, or to individual, execution groups.