Messaging security uses a simple role model in which a role contains
the authorization permission required to perform a given operation. If messaging
security is switched on, you must give any users who connect to a bus permission
to carry out the operations that they need to perform. You do this by assigning
them to the appropriate role or roles.
Note: A user is the entity that performs an operation such
as initiating the sending of a message to a destination.
Roles
When you assign a user to a role, this grants
the user all of the permissions that the role contains. Users can belong to
groups, which are defined in the user registry, and you can also assign a
group to a role. In this case, all the users who are members of the group
are authorized to carry out the operations for which this role contains permissions.
There are two special
groups of users:
- AllAuthenticated, which contains all authenticated users. If the AllAuthenticated
group is authorized to perform an operation, then all authenticated users
are authorized to perform it. When a bus is created, an initial set of authorization
permissions is created that allows all users in the AllAuthenticated group
access to the bus and to all local destinations.
You can change these permissions to restrict access to the specific users
and groups that you want to connect to the bus.
- Everyone, which contains all users whether or not they are authenticated.
You can assign a user or group to the following types of roles:
- Connector, which contains permission to connect to
the local bus.
- Sender, which contains permission to send (produce) a
message to the destination.
- Receiver, which contains permission to receive (consume)
a message from the destination.
- Browser, which contains permission to browse messages
on the destination.
- Creator, which contains permission to create a temporary
destination based on this temporary destination prefix. This role only applies
to prefix destinations; see Destinations below.
- IdentityAdopter, which contains permission to send
a message using a different user identity. This cannot be used from JMS.
Operations requiring authorization
When
messaging security is switched on, all operations on the following objects
require authorization:
- Buses
- When a user connects to a local bus, before the user is allowed to perform
any further operations, a check is made that this user has permission to connect
to this bus. If a user connected to a local bus wants to send a message to
a destination in a foreign bus, the user must also be authorized to access
the foreign bus.
- Destinations
- Users require authorization to send, receive, or browse all types of destination.
Users who create a temporary destination need to be granted create
permission on the destination prefix on which the temporary destination is
based. The authorization permissions of a temporary destination are the same
as those of the destination prefix on which it is based. The name of this
special destination prefix appears as a prefix in the temporary destination
name.
- Topic spaces and topics
- To access a topic within a topic space,
a user must be authorized to access both the topic space,
and the specific topics within this topic space.
To make topic authorizations easier to manage, a topic by default inherits
authorization permissions from its parent in the topic namespace. However,
you can change these inherited permissions for any given topic, or you can
turn this level of authorization off altogether for a topic space,
in which case a check is made that the user is authorized to access the topic space, but no further checks
are made at the topic level.
Default authorization permissions
The
default authorization permissions provide you with a way of quickly granting
access to all local destinations. When a bus is created, the default permissions
are given initial values which grant all authenticated users access to all
local destinations. If you are using mediations, you may want to use the default
permissions to grant the mediations user default access to all local destinations.
The
default permissions apply to all destinations in a local bus namespace. The
default permissions are added to any specific permissions that you define
for an individual local destination. You can, if required, turn off the inheritance
of the default permissions for an individual destination, in which case only
the specific permissions that you create for this destination are used for
authorization checking.
For topic spaces,
the default permissions are used for checking a user's authorization to access
the topic space itself, and
the virtual root of the topic space.
For alias destinations, the default
permissions are added to the specific permissions for an individual alias
destination, if the alias name (that is, the name of the alias itself, not
the target destination name of the alias) is in the local bus namespace. If
the alias destination is in the namespace of another bus, the default permissions
do not apply.