Administering role-based access control (RBAC)

One of the key features to the IBM WebSphere Business Integration Server is the ability to authorize permissions for users accessing the system using roles, known as Role-based access control (RBAC). Roles can easily be defined by the Administrator and assigned to a group of users, restricting access to key components only to verified users. Roles can be assigned along functional associations and greatly reduce the administrative burden. Assigning a role to a user or users allows them to access only the components of the system included in the role definition.

Use of RBAC functionality ensures that only an Administrator, or users with permission to administer roles, would be allowed to create users and assign roles. If RBAC is not active on the server, any user can create users and roles with no verification.

Note:
When you activate RBAC in InterChange Server Express, the RBAC run time status displays on the System Manager screen.

For information on configuring Role-based access control, see Steps for setting up RBAC.

Note:
The Failed Events Manager uses RBAC functionality to establish roles which administer access control to failed events information.

This section covers the following topics:

Steps for setting up RBAC

Steps for deactivating RBAC

Administering roles

Administering users

Administering user and role assignments

Administering security policy permissions

Administering membership and security policy information

Security Administration

Steps for setting up RBAC

Before setting up RBAC, at least one user must be assigned the role of Administrator. If no user is assigned an Administrator role, the server will always re-boot with RBAC disabled. Perform the following steps to set up role-based access control:

  1. On the Security-RBAC tab (located in the server's Edit Configuration context menu), select the check box for Enable RBAC.
  2. Select the user registry to which to apply role-based access controls, that is, Repository or LDAP.
    Note:
    If you select the LDAP user registry, you must ensure that the server privacy keystore is set up in order to assure correct functioning.
  3. In the Server Start User Name field, enter the user name to start the server.
  4. In the Server Start Password field, enter the password associated with the username.
  5. If you selected Repository, enter details in the following fields:
  6. If you selected LDAP, enter details in the following fields:
  7. To turn on Audit settings, select the check box for Enable Audit and enter details in the following fields:

Steps for deactivating RBAC

Perform the following steps to deactivate RBAC:

  1. On the Security-RBAC tab, select the check box for Enable RBAC. Disabling RBAC functionality causes all the fields in the display to become grayed.

Administering roles

Role-based access control (RBAC) supports multiple users and enhanced security features based on roles. A role is a collection of users who share common functionality. Assigning functions into roles allows the administrator to work more effectively by reducing the burden on the administrator during the assignment of permissions.

If a role is no longer necessary for the functioning of the server, you may choose to delete that role from the listing. Once a role is deleted, all role references are removed from the applicable users.

Note:
The Failed Events Manager also uses RBAC functionality to establish roles which administer access control to failed events information.

Steps for creating roles

Perform the following steps to create a role:

  1. Right click on the server name and select Users and Roles from the listing.
  2. On the Users and Roles Management tab, select the Roles tab.
  3. Right click on the main Roles folder and select New Role. This displays the Role Name dialog box.
  4. Enter the role name. Once you name a role, it cannot be renamed.
  5. Enter a role description, if necessary. Role description is an optional field.
  6. Select OK.

Steps for deleting roles

Perform the following steps to delete a role:

Note:
The role administrator is the default and cannot be deleted. It is case-sensitive.
  1. Right click on the server name and select Users and Roles from the listing.
  2. Right click on the role and select Delete Role.
  3. When prompted, select OK to delete the role. Once you delete a role, it cannot be restored.

Administering users

On the User and Roles Management screen, roles are listed downward in a tree directory display. You can assign a user to any number of roles. Users assigned to a role are listed in the tree directory beneath the role to which they are assigned, making for a quick and easy scan of permissions and responsibilities.

Additionally, you can import or export user information for use with the RBAC functionality.

Steps for adding users

Perform the following steps to add users to RBAC:

  1. Right click on the server name and select Users and Roles from the listing.
  2. On the Users and Roles Management tab, select the Users tab.
  3. Right click on the main Users folder and select New User. This displays the Create User dialog box.
  4. In the Username field, enter the name of the user.
  5. In the Password field, enter the password for the user.
  6. Confirm the password.
  7. Add information in the Distinguished Name, Common Name and Surname fields.
  8. Select OK.

Steps for deleting users

Perform the following steps to delete users from RBAC:

Note:
Guest is the only default user and cannot be deleted.
  1. Right click on the server name and select Users and Roles from the listing.
  2. Right click on the user and select Delete User.
  3. When prompted, select OK to delete the user. Deleting a user removes the user from all pre-assigned roles.

Steps for Importing users and passwords

Perform the following steps to import users and passwords into RBAC:

Note:
When DATABASE is the user registry, support is available for importing users. However, this function is not supported for the LDAP user registry. It is recommended that you create a central user registry database or central LDAP registry, enabling multiple InterChange Server Express machines to use this central repository as opposed to transferring the user registry across various InterChange Server Express machines.
  1. Right click on the server name and select Import > User Registry. This displays the Import dialog box, where you specify the path for the binary file. This path should be valid on the server machine which is running the InterChange Server Express.
  2. Select the file to import.

Steps for exporting users and passwords

Perform the following steps to export users and passwords into RBAC:

Note:
When DATABASE is the user registry, support is available for exporting users. However, this function is not supported for the LDAP user registry. It is recommended that you create a central user registry database or central LDAP registry, enabling multiple InterChange Server Express machines to use this central repository as opposed to transferring the user registry across various InterChange Server Machines.
  1. Right click on the server name and select Export > User Registry. This displays the Export dialog box, where you can specify the file path.
  2. Select the destination for the file to export. This path should be valid on the server machine which is running the InterChange Server.

Administering user and role assignments

Assigning roles to the available users greatly reduces the burden upon the administrator to assign individual permissions to vital functionality. Users can be assigned to numerous roles, all regulated by the user's login ID. Users assigned to a role are listed in the tree directory beneath the role to which they are assigned. Perform the following steps to assign roles to users:

Steps for assigning roles to users

Perform the following steps to assign roles to users:

  1. Right click on the server name and select Users and Roles.
  2. From the listing, select the user to which you want to assign roles.
  3. Right click on the user name and select Add Role. This displays the Add Role dialog box, which lists all available roles.
  4. Select single or multiple roles to assign to the user.
  5. Select OK.

Steps for removing users from roles

Perform the following steps to remove users from the roles listing:

  1. Right click on the server name and select Users and Roles.
  2. From the listing, select the user you want to remove from the role permissions.
  3. Right click user name and select Remove Role.
  4. When prompted, select OK. This removes the user from the role listing and removes all role permissions from the user profile.

Administering security policy permissions

As an administrator, you can assign permissions to default roles within RBAC. These security policies are listed in a tree directory, along with the operations that each role is allowed to access.

Table 16lists the operations that can be secured in a server.

Table 16. Secured Server Operations
Secureable component Access-controlled operations
Server
  1. Start
  2. Shut Down
  3. Security/Administering users/Roles
  4. Monitoring
  5. View Failed Events
  6. Deploy
  7. Export
  8. Delete
  9. Compile
  10. Export config files
  11. Deploy config files
Collaboration Templates
  1. Compile
Collaboration Objects
  1. Start
  2. Stop
  3. Pause
  4. Shutdown
  5. Execute (AccessFramework call)
  6. Resolve transactional status
  7. Submit Failed events
  8. Delete Failed events
  9. Cancel LLBP flow
Connectors
  1. Start
  2. Stop
  3. Pause
  4. ShutDown Agent
  5. Submit Failed Events
  6. Delete Failed Events
Business Objects
Business Rules
  1. Start
  2. Stop
  3. Pause
Maps
  1. Compile
  2. Start
  3. Stop
Relationships
  1. Start
  2. Stop
BenchMark
  1. Start
  2. Stop
Scheduler
DBConnectionCache

Administering membership and security policy information

Administrators can import membership and security policy information to be used with the RBAC functionality from any authorized server. Conversely, membership and security policy information can also be exported to a file for use on an additional server or for storage.

Importing membership and security policy information

Perform the following steps to import membership or security policy information:

  1. Right click on the server name and select Import Roles and Security Policy. This displays the Import dialog box, where you can specify the file path.
  2. Select the file to import. If you import information when the User/Roles Management view is active, the changes will not display until you close and re-open the view.
Note:
You may also import information using the -xmsp option using repos_copy. For information on using repos_copy, refer to Using repos_copy.

Exporting membership and security policy information

Perform the following steps to export membership or security policy information:

  1. Right click on the server name and select Export Roles and Security Policy. This displays the Export dialog box, where you can specify the file path.
  2. Select the destination for the file to export.
Note:
You may also export information using the -xmsp option using repos_copy. For information on using repos_copy, refer to Using repos_copy.

Security Administration

As an administrator, you can monitor the use of the roles in RBAC using the security administration functionality. The InterChange Server Express lists active users in a table, which displays username, session ID, and the amount of time the user has spent logged onto the server.

Note:
It is recommended that you refresh the user listing occasionally to retain an accurate user display. Refresh the user listing by selecting the Refresh option on the Context menu.

Viewing active users

Perform the following steps to view active users:

  1. Right click on the server name and select Security Administration. This opens a dialog box which displays all active users in table format.

Logging out active users

Perform the following steps to log active users off of the server:

  1. To log the user out of all sessions, select the user to log out from the active user listing.
  2. To log the user out of the selected session, select Logout Session.

Copyright IBM Corp. 2004, 2005