Service integration messaging security uses role-based authorization.
By adding and removing users and groups in access roles you can control who
has access to a secured bus and its resources.
When bus security is enabled, you must add users and groups to access roles
to grant them authority to connect to the bus, and to work with
its messaging resources, for example a destination or a topic space. You can
administer users and groups in access roles either by using the administrative
console, or by using wsadmin reference commands.
Access roles
When you add a user to an access role,
you grant that user all the security permissions contained within the role
type. You can add users to the following access roles:
- Connector role
- Grants the user the permission to connect to the local bus.
- Sender role
- Grants he user the permission to send a message to a destination.
- Receiver role
- Grants the user the permission to receive a message from a destination.
- Browser role
- Grants the user the permission to browse messages on a destination.
- Creator role
- Grants the user the permission to create a temporary destination prefix.
Users and groups
Any user or group that you want
to add to an access role must have a definition in the user registry. A user
that belongs to a group that has been added to an access role is authorized
to carry out the operations permitted for that role.
There are three
special types of groups:
- All Authenticated
- Contains all authenticated users. If the All Authenticated group is authorized
to undertake an operation, then all authenticated users are authorized to undertake
it. When a bus is created, an initial set of authorization permissions is
created that allows all users in the All Authenticated group access all local
destinations. You can change these permissions to restrict access to the specific
users and groups that you want to connect to the bus.
- Everyone
- Contains all users whether or not they are authenticated.
- Server
- Contains every WebSphere® Application Server within
a cell.
Messaging operations
When messaging
security is enabled, all operations on the following resources require authorization:
- Buses
- When a user connects to a local bus, the system checks that the user has
authorization to connect to the bus. For a user who has already connected successfully
to a local bus to send a message to a destination on a foreign bus,
the user requires authorization to access the foreign bus.
- Destinations
- Users require authorization to undertake messaging operations (typically
send, receive, and browse) on a destination.
- Temporary destinations
- A user must have the creator role to create a temporary destination. By
default, the All Authenticated group have the creator role. When an authorized
user (a client application) creates a temporary destination, a temporary destination
prefix is specified. The messaging engine uses the temporary destination prefix
at runtime to determine which operations the client application can perform.
A client application that has the sender role for a temporary destination
prefix is authorized to send messages to the temporary destination.
- Topic spaces and topics
- To access a topic within a topic space, a user must be authorized to access
both the topic space, and the specific topics within this topic space. To
make topic authorizations easier to manage, a topic inherits authorization
permissions from its parent in the topic namespace by default. You can change
inherited permissions for any given topic, or you can disable inheritance
at the topic space level for a given topic space. In this case, the system
checks that the user is authorized to access the topic space, but no further
checks are made at the topic level.
Default authorization permissions
The default authorization
permissions enable you to quickly grant access to all local destinations.
Although the All Authenticated group has full access to all destinations, only
the Server group has the bus connector role. If you want a particular user
to access the bus, you must add that user to the bus connector role for the
bus. When users have the bus connector role, they have full access to the
bus.
The default permissions apply to all destinations in a local bus
namespace, with the following exceptions:
- A destination for which inheritance is disabled
- Foreign destinations
- Alias destinations that have an alias bus name that is not the local bus
name