APAR status
Closed as documentation error.
Error description
The knowledge center articles that discuss role-based security do not make it sufficiently clear that newly created integration servers do not inherit any roles that are defined on the integration node. When an integration server is created and file or LDAP security is active then no roles will be defined on this new integration server. The roles defined on the integration node are not inherited by the integration server. The article "Configuring authorization for an integration node by modifying the node.conf.yaml file" (bn28624) in the ACE v11 knowledge center contains a statement saying "If you set permissions for the integration node, the settings are inherited by each of its managed integration servers that have not had specific permissions set. Any permissions that are set for named integration servers will override those that are set on the integration node." This is not correct and should instead read: "Every integration server managed by this integration node will pick up the appropriate permissions section from the node.conf.yaml unless it has a permissions section in its own server.conf.yaml. An integration server will not inherit permission settings defined for the integration node itself." The analogous article in the IIB v10 knowledge center entitled "Setting file-based or LDAP-based permissions" (bn28616) does correctly state that permissions set on the integration node are not applied to the integration servers. The article "Permissions for acting on integration nodes, integration servers, and resources" (bn28620) in the ACE v11 and IIB v10 knowledge centers discuss that when using queue-based security a newly created integration server will automatically grant access to members of the mqbrkrs group. These articles do not discuss the case of file or LDAP security where the newly created integration server will have no permissions defined and should be rectified to reflect this.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: All users of file or LDAP administration security in IBM Integration Bus v10 and IBM App Connect Enterprise v11. Platforms affected: z/OS, MultiPlatform **************************************************************** PROBLEM DESCRIPTION: The knowledge center articles that discuss role-based security does not make it sufficiently clear that newly created integration servers do not inherit any roles that are defined on the integration node. When an integration server is created and file or LDAP security is active then no roles will be defined on this new integration server. The roles defined on the integration node are not inherited by the integration server. The article "Configuring authorization for an integration node by modifying the node.conf.yaml file" (bn28624) in the ACE v11 knowledge center contains a statement saying "If you set permissions for the integration node, the settings are inherited by each of its managed integration servers that have not had specific permissions set. Any permissions that are set for named integration servers will override those that are set on the integration node." This is not correct and should instead read: "Every integration server managed by this integration node will pick up the appropriate permissions section from the node.conf.yaml unless it has a permissions section in its own server.conf.yaml. An integration server will not inherit permission settings defined for the integration node itself." The analogous article in the IIB v10 knowledge center entitled "Setting file-based or LDAP-based permissions" (bn28616) does correctly state that permissions set on the integration node are not applied to the integration servers. The article "Permissions for acting on integration nodes, integration servers, and resources" (bn28620) in the ACE v11 and IIB v10 knowledge centers discuss that when using queue-based security a newly created integration server will automatically grant access to members of the mqbrkrs group. These articles do not discuss the case of file or LDAP security where the newly created integration server will have no permissions defined and should be rectified to reflect this.
Problem conclusion
The Knowledge Center articles have been updated to reflect these behaviours.
Temporary fix
Comments
APAR Information
APAR number
IT32918
Reported component name
INTEGRATION BUS
Reported component ID
5724J0540
Reported release
A00
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-05-19
Closed date
2020-10-19
Last modified date
2020-10-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0"}]
Document Information
Modified date:
20 October 2020