Administering role-based access control (RBAC)

One of the key features to the IBM WebSphere InterChange Server is the ability to authorize permissions for users accessing the system using roles, known as Role-based access control (RBAC). Roles can easily be defined by the Administrator and assigned to a group of users, restricting access to key components only to verified users. Roles can be assigned along functional associations and greatly reduce the administrative burden. Assigning a role to a user or users allows them to access only the components of the system included in the role definition.

Use of RBAC functionality ensures that only an Administrator, or users with permission to administer roles, would be allowed to create users and assign roles. If RBAC is not active on the server, any user can create users and roles with no verification.

Note:
When you activate RBAC in InterChange Server, the RBAC run time status displays on the System Manager screen.

For information on configuring Role-based access control, see Steps for configuring RBAC security. For in-depth information on Role-based access contol concepts and functionality, refer to the Technical Introduction to IBM WebSphere InterChange Server.

Note:
The Failed Events Manager uses RBAC functionality to establish roles which administer access control to failed events information. For more information on the Failed Events Manager, refer to the Problem Determination Guide.

This section covers the following topics:

Steps for setting up RBAC

Steps for deactivating RBAC

"Administering roles"

"Administering users"

"Administering user and role assignments"

"Administering security policy permissions"

"Administering membership and security policy information"

Administering the RBAC password

Security Administration

Steps for setting up RBAC

Before setting up RBAC, at least one user must be assigned the role of Administrator. If no user is assigned an Administrator role, the server will always re-boot with RBAC disabled. Perform the following steps to set up role-based access control:

  1. On the Security-RBAC tab, select the check box for Enable RBAC.
  2. Select the user registry to which to apply role-based access controls, that is, Repository or LDAP.
    Note:
    If you select the LDAP user registry, you must ensure that the server privacy keystore is set up in order to assure correct functioning.
  3. In the Server Start User Name field, enter the user name to start the server.
  4. In the Server Start Password field, enter the password associated with the username.
  5. If you selected Repository, enter details in the following fields:
  6. If you selected LDAP, enter details in the following fields:
  7. To turn on Audit settings, select the check box for Enable Audit and enter details in the following fields:

Steps for deactivating RBAC

Perform the following steps to deactivate RBAC:

  1. On the Security-RBAC tab, select the check box for Enable RBAC. Disabling RBAC functionality causes all the fields in the display to become grayed.

Administering roles

Role-based access control (RBAC) supports multiple users and enhanced security features based on roles. A role is a collection of users who share common functionality. Assigning functions into roles allows the administrator to work more effectively by reducing the burden on the administrator during the assignment of permissions.

If a role is no longer necessary for the functioning of the server, you may choose to delete that role from the listing. Once a role is deleted, all role references are removed from the applicable users.

Note:
The Failed Events Manager also uses RBAC functionality to establish roles which administer access control to failed events information. For more information on the Failed Events Manager, refer to the Problem Determination Guide.

Steps for creating roles

Perform the following steps to create a role:

  1. On the Context Menu, select New Role. This displays the Role Name dialog box.
  2. Enter the role name. Once you name a role, it cannot be renamed.
  3. Enter a role description, if necessary. Role description is an optional field.

Steps for deleting roles

Perform the following steps to delete a role:

Note:
The role administratoris the default and cannot be deleted. It is case-sensitive.
  1. On the Context Menu, select Delete Role.
  2. Select the role name. Once you delete a role, it cannot be restored.

Administering users

On the User and Roles Management screen, roles are listed downward in a tree directory display. You can assign a user to any number of roles. Users assigned to a role are listed in the tree directory beneath the role to which they are assigned, making for a quick and easy scan of permissions and responsibilities.

Additionally, you can import or export user information for use with the RBAC functionality.

Steps for adding users

Perform the following steps to add users to RBAC:

  1. On the Context Menu, select New User. This displays the New User dialog box.
  2. In the Username field, enter the name of the user.
  3. In the Password field, enter the password for the user.

Steps for deleting users

Perform the following steps to delete users from RBAC:

Note:
Guest is the only default user and cannot be deleted.
  1. On the Context Menu, select Delete User.
  2. Select the user name. This removes the user from all pre-assigned roles.

Steps for Importing users and passwords

Perform the following steps to import users and passwords into RBAC:

Note:
When DATABASE is the user registry, support is available for importing users. However, this function is not supported for the LDAP user registry. It is recommended that you create a central user registry database or central LDAP registry, enabling multiple InterChange Server machines to use this central repository as opposed to transfering the user registry across various InterChange Server Machines.
  1. On the Context Menu, select Import >> User Registry. This displays the Import dialog box, where you specify the path for the binary file. This path should be valid on the server machine which is running the InterChange Server.
  2. Select the file to import.

Steps for exporting users and passwords

Perform the following steps to export users and passwords into RBAC:

Note:
When DATABASE is the user registry, support is available for exporting users. However, this function is not supported for the LDAP user registry. It is recommended that you create a central user registry database or central LDAP registry, enabling multiple InterChange Server machines to use this central repository as opposed to transfering the user registry across various InterChange Server Machines.
  1. On the Context Menu, select Export >> User Registry. This displays the Export dialog box, where you can specify the file path.
  2. Select the destination for the file to export. This path should be valid on the server machine which is running the InterChange Server.

Administering user and role assignments

Assigning roles to the available users greatly reduces the burden upon the administrator to assign individual permissions to vital functionality. Users can be assigned to numerous roles, all regulated by the user's login ID. Users assigned to a role are listed in the tree directory beneath the role to which they are assigned. Perform the following steps to assign roles to users:

Steps for assigning roles to users

Perform the following steps to assign roles to users:

  1. On the Context Menu, select the user to which you want to assign roles.
  2. Select Add Role. This displays the Add Role dialog box, which lists all available roles.
  3. Select single or multiple roles to assign to the user. This lists the assigned users under the roles display.

Steps for removing users from roles

Perform the following steps to remove users from the roles listing:

  1. On the Context Menu, select the user you want to remove from the role permissions.
  2. Select Remove Role. This removes the user from the role listing and removes all role permissions from the user profile.

Administering security policy permissions

As an administrator, you can assign permissions to default roles within RBAC. These security policies are listed in a tree directory, along with the operations that each role is allowed to access.

Table 23lists the operations that can be secured in a server.

Table 23. Secured Server Operations

Secureable component Access-controlled operations
Server
  1. Start
  2. Shut Down
  3. Security/Administering users/Roles
  4. Monitoring
  5. View Failed Events
  6. Deploy
  7. Export
  8. Delete
  9. Compile
  10. Export config files
  11. Deploy config files

Collaboration Templates
  1. Compile

Collaboration Objects
  1. Start
  2. Stop
  3. Pause
  4. Shutdown
  5. Execute (AccessFramework call)
  6. Resolve transactioanl status
  7. Submit Failed events
  8. Delete Failed events
  9. Cancel LLBP flow

Connectors
  1. Start
  2. Stop
  3. Pause
  4. ShutDown Agent
  5. Submit Failed Events
  6. Delete Failed Events

Business Objects
Maps
  1. Compile
  2. Start
  3. Stop

Relationships
  1. Start
  2. Stop

BenchMark
  1. Start
  2. Stop

Scheduler
DBConnectionCache

Administering membership and security policy information

Administrators can import membership and security policy information to be used with the RBAC functionality from any authorized server. Conversely, membership and security policy information can also be exported to a file for use on an additional server or for storage.

Importing membership and security policy information

Perform the following steps to import membership or security policy information:

  1. On the Context Menu, select Import Roles and Security Policy. This displays the Import dialog box, where you can specify the file path.
  2. Select the file to import. If you import information when the User/Roles Management view is active, the changes will not display until you close and re-open the view.
Note:
You may also import information using the -xmsp option using repos_copy. For information on using repos_copy, refer to Using repos_copy.

Exporting membership and security policy information

Perform the following steps to export membership or security policy information:

  1. On the Context Menu, select Export Roles and Security Policy. This displays the Export dialog box, where you can specify the file path.
  2. Select the destination for the file to export.
Note:
You may also export information using the -xmsp option using repos_copy. For information on using repos_copy, refer to Using repos_copy.

Administering the RBAC password

Each user in RBAC has an associated password. When a user logs in to the server, the password is used to verify the roles assigned to the user. Occasionally, it may become necessary to change or reset the user password. Perform the following steps to reset the user password:

  1. On the Context Menu, highlight the user for whom you'd like to reset the password.
  2. Select Reset Password. This displays the Reset Password dialog box, with the username populated.
  3. In the New Password field, enter the new password.
  4. In the Confirm Password field, enter the new password again. The password is now reset.

Security Administration

As an administrator, you can monitor the use of the roles in RBAC using the security administration functionality. The InterChange Server lists active users in a table, which displays username, session ID, and the amount of time the user has spent logged onto the server.

Note:
It is recommended that you refresh the user listing occasionally to retain an accurate user display. Refresh the user listing by selecting the Refresh option on the Context menu.

Viewing active users

Perform the following steps to view active users:

  1. On the Context menu, select Security Administration. This opens a dialog box which displays all active users in table format.

Logging out active users

Perform the following steps to log active users off of the server:

  1. To log the user out of all sessions, select the Log Out Context menu.
  2. To log the user out of the selected session, select the Log Out Session Context menu.

Copyright IBM Corp. 1997, 2004