Setting queue-based permissions
You can use WebSphere® MQ queues to authorize users to complete specific tasks against an integration node and its resources.
Before you begin
- Ensure that WebSphere MQ is installed and that a queue manager is specified on the integration node.
- Read the following topics:
About this task
- SYSTEM.BROKER.AUTH
- SYSTEM.BROKER.AUTH.EG (where EG is the name of the integration server)
- SYSTEM.BROKER.DC.AUTH
The queue SYSTEM.BROKER.AUTH is created when you use the mqsichangeauthmode command to enable queue-based administration security (mq mode) on the integration node. When you create an integration server on an integration node for which you have enabled queue-based administration security, the integration server authorization queue SYSTEM.BROKER.AUTH.EG is created (if it did not already exist), where EG is the name of the integration server. The SYSTEM.BROKER.DC.AUTH queue is created when you use the mqsicreatebroker command to create an integration node with an associated queue manager. For more information about these authorization queues, see Authorization queues for queue-based administration security.
You can set permissions to individual principals (user IDs), to groups of users, or both, on all platforms:
- If you grant a group or a user ID permissions at the integration node level (on queue SYSTEM.BROKER.AUTH), it does not inherit permissions for integration servers. You must explicitly set permissions for individual integration servers, or for all integration servers.
- On Linux® and UNIX, you can authorize both principals and groups. However, when authorizing a principal, IBM® Integration Bus additionally authorizes the primary group of that principal. If there are many users who belong to that primary group, they become authorized at the same time. Consider using groups instead of primary groups for authorization, because variants of UNIX use primary groups in different ways.
- If a user ID is a member of the WebSphere MQ security group mqm, it automatically has permissions to act on all WebSphere MQ objects.
- On Windows, if a user ID is a member of the security group Administrators, it automatically has permissions to act on all WebSphere MQ objects.
When you change permissions on a queue, the integration node accesses the updated values the next time that a request is processed. You do not have to stop and restart the integration node.
If you update user ID or group membership by using the operating system facilities on the platform on which the integration node queue manager is running, you must ensure that the queue manager is aware of these changes. Select the option Refresh Authorization Service in the WebSphere MQ Explorer to notify the queue manager of the updated status.