One of the key features to the IBM WebSphere InterChange Server is the
ability to authorize permissions for users accessing the system using roles,
known as Role-based access control (RBAC). Roles can easily be defined
by the Administrator and assigned to a group of users, restricting access to
key components only to verified users. Roles can be assigned along
functional associations and greatly reduce the administrative burden.
Assigning a role to a user or users allows them to access only the components
of the system included in the role definition.
Use of RBAC functionality ensures that only an Administrator, or users with
permission to administer roles, would be allowed to create users and assign
roles. If RBAC is not active on the server, any user can create users
and roles with no verification.
- Note:
- When you activate RBAC in InterChange Server, the RBAC run time status
displays on the System Manager screen.
For information on configuring Role-based access control, see Steps for configuring RBAC security. For in-depth information on Role-based access contol
concepts and functionality, refer to the Technical Introduction to IBM
WebSphere InterChange Server.
- Note:
- The Failed Events Manager uses RBAC functionality to establish roles which
administer access control to failed events information. For more
information on the Failed Events Manager, refer to the Problem
Determination Guide.
This section covers the following topics:
Steps for setting up RBAC
Steps for deactivating RBAC
"Administering roles"
"Administering users"
"Administering user and role assignments"
"Administering security policy permissions"
"Administering membership and security policy information"
Administering the RBAC password
Security Administration
Before setting up RBAC, at least one user must be assigned the role of
Administrator. If no user is assigned an Administrator role, the server
will always re-boot with RBAC disabled. Perform the following steps to
set up role-based access control:
- On the Security-RBAC tab, select the check box for Enable RBAC.
- Select the user registry to which to apply role-based access controls,
that is, Repository or LDAP.
- Note:
- If you select the LDAP user registry, you must ensure that the server privacy
keystore is set up in order to assure correct functioning.
- In the Server Start User Name field, enter the user name to start the
server.
- In the Server Start Password field, enter the password associated with the
username.
- If you selected Repository, enter details in the following fields:
- Host name
- Database
- Port Number
- User Name
- Password
- Max Connections, which is the maximum number of connections that the user
can open
- Max connect retries, which is the maximum number of times you can attempt
to start a connection
- Connect retry interval, which is the amount of time between connection
retries
- If you selected LDAP, enter details in the following fields:
- LDAP Url, which is the url of the LDAP installation
- Username, which is the user account and is not case-sensitive
- Password, which is the password for the user account
- Userbase DN, which is the base distinguished name and acts as the root of
all searches and updates
- Username attribute, which the attribute in the schema that InterChange
Server uses as a username
- Search criteria, which is the search criteria to use when retrieving LDAP
users and is optional
- Max search returns, which is the maximum number of entries returned from a
search
- SSL, which when set to True secures the connection using SSL
protocol
- To turn on Audit settings, select the check box for Enable Audit and enter
details in the following fields:
- Audit log directory, which is the path of the audit log file
- Audit log frequency, for example, Daily, Weekly or Monthly
- Audit file size, which is the maximum size for the audit file in MB
Perform the following steps to deactivate RBAC:
- On the Security-RBAC tab, select the check box for Enable RBAC.
Disabling RBAC functionality causes all the fields in the display to become
grayed.
Role-based access control (RBAC) supports multiple users and enhanced
security features based on roles. A role is a collection of users who
share common functionality. Assigning functions into roles allows the
administrator to work more effectively by reducing the burden on the
administrator during the assignment of permissions.
If a role is no longer necessary for the functioning of the server, you may
choose to delete that role from the listing. Once a role is deleted,
all role references are removed from the applicable users.
- Note:
- The Failed Events Manager also uses RBAC functionality to establish roles
which administer access control to failed events information. For more
information on the Failed Events Manager, refer to the Problem
Determination Guide.
Perform the following steps to create a role:
- On the Context Menu, select New Role. This displays the Role Name
dialog box.
- Enter the role name. Once you name a role, it cannot be
renamed.
- Enter a role description, if necessary. Role description is an
optional field.
Perform the following steps to delete a role:
- Note:
- The role administratoris the default and cannot be deleted.
It is case-sensitive.
- On the Context Menu, select Delete Role.
- Select the role name. Once you delete a role, it cannot be
restored.
On the User and Roles Management screen, roles are listed downward in a
tree directory display. You can assign a user to any number of
roles. Users assigned to a role are listed in the tree directory
beneath the role to which they are assigned, making for a quick and easy scan
of permissions and responsibilities.
Additionally, you can import or export user information for use with the
RBAC functionality.
Perform the following steps to add users to RBAC:
- On the Context Menu, select New User. This displays the New User
dialog box.
- In the Username field, enter the name of the user.
- In the Password field, enter the password for the user.
Perform the following steps to delete users from RBAC:
- Note:
- Guest is the only default user and cannot be deleted.
- On the Context Menu, select Delete User.
- Select the user name. This removes the user from all pre-assigned
roles.
Perform the following steps to import users and passwords into RBAC:
- Note:
- When DATABASE is the user registry, support is available for importing
users. However, this function is not supported for the LDAP user
registry. It is recommended that you create a central user registry
database or central LDAP registry, enabling multiple InterChange Server
machines to use this central repository as opposed to transfering the user
registry across various InterChange Server Machines.
- On the Context Menu, select Import >> User Registry. This
displays the Import dialog box, where you specify the path for the binary
file. This path should be valid on the server machine which is running
the InterChange Server.
- Select the file to import.
Perform the following steps to export users and passwords into RBAC:
- Note:
- When DATABASE is the user registry, support is available for exporting
users. However, this function is not supported for the LDAP user
registry. It is recommended that you create a central user registry
database or central LDAP registry, enabling multiple InterChange Server
machines to use this central repository as opposed to transfering the user
registry across various InterChange Server Machines.
- On the Context Menu, select Export >> User Registry. This
displays the Export dialog box, where you can specify the file path.
- Select the destination for the file to export. This path should be
valid on the server machine which is running the InterChange Server.
Assigning roles to the available users greatly reduces the burden upon the
administrator to assign individual permissions to vital functionality.
Users can be assigned to numerous roles, all regulated by the user's login
ID. Users assigned to a role are listed in the tree directory beneath
the role to which they are assigned. Perform the following steps to
assign roles to users:
Perform the following steps to assign roles to users:
- On the Context Menu, select the user to which you want to assign
roles.
- Select Add Role. This displays the Add Role dialog box, which lists
all available roles.
- Select single or multiple roles to assign to the user. This lists
the assigned users under the roles display.
Perform the following steps to remove users from the roles listing:
- On the Context Menu, select the user you want to remove from the role
permissions.
- Select Remove Role. This removes the user from the role listing and
removes all role permissions from the user profile.
As an administrator, you can assign permissions to default roles within
RBAC. These security policies are listed in a tree directory, along
with the operations that each role is allowed to access.
Table 23lists the operations that can be secured in a server.
Table 23. Secured Server Operations
Secureable component
| Access-controlled operations
|
Server
|
- Start
- Shut Down
- Security/Administering users/Roles
- Monitoring
- View Failed Events
- Deploy
- Export
- Delete
- Compile
- Export config files
- Deploy config files
|
Collaboration Templates
|
- Compile
|
Collaboration Objects
|
- Start
- Stop
- Pause
- Shutdown
- Execute (AccessFramework call)
- Resolve transactioanl status
- Submit Failed events
- Delete Failed events
- Cancel LLBP flow
|
Connectors
|
- Start
- Stop
- Pause
- ShutDown Agent
- Submit Failed Events
- Delete Failed Events
|
Business Objects
|
|
Maps
|
- Compile
- Start
- Stop
|
Relationships
|
- Start
- Stop
|
BenchMark
|
- Start
- Stop
|
Scheduler
|
|
DBConnectionCache
|
|
Administrators can import membership and security policy information to be
used with the RBAC functionality from any authorized server.
Conversely, membership and security policy information can also be exported to
a file for use on an additional server or for storage.
Perform the following steps to import membership or security policy
information:
- On the Context Menu, select Import Roles and Security Policy. This
displays the Import dialog box, where you can specify the file path.
- Select the file to import. If you import information when the
User/Roles Management view is active, the changes will not display until you
close and re-open the view.
- Note:
- You may also import information using the -xmsp option using
repos_copy. For information on using repos_copy, refer to Using repos_copy.
Perform the following steps to export membership or security policy
information:
- On the Context Menu, select Export Roles and Security Policy. This
displays the Export dialog box, where you can specify the file path.
- Select the destination for the file to export.
- Note:
- You may also export information using the -xmsp option using
repos_copy. For information on using repos_copy, refer to Using repos_copy.
Each user in RBAC has an associated password. When a user logs in to
the server, the password is used to verify the roles assigned to the
user. Occasionally, it may become necessary to change or reset the user
password. Perform the following steps to reset the user password:
- On the Context Menu, highlight the user for whom you'd like to reset
the password.
- Select Reset Password. This displays the Reset Password dialog box,
with the username populated.
- In the New Password field, enter the new password.
- In the Confirm Password field, enter the new password again. The
password is now reset.
As an administrator, you can monitor the use of the roles in RBAC using the
security administration functionality. The InterChange Server lists
active users in a table, which displays username, session ID, and the amount
of time the user has spent logged onto the server.
- Note:
- It is recommended that you refresh the user listing occasionally to retain an
accurate user display. Refresh the user listing by selecting the
Refresh option on the Context menu.
Perform the following steps to view active users:
- On the Context menu, select Security Administration. This opens a
dialog box which displays all active users in table format.
Perform the following steps to log active users off of the server:
- To log the user out of all sessions, select the Log Out Context
menu.
- To log the user out of the selected session, select the Log Out Session
Context menu.
