IBM Support

IT32918: KC ARTICLES UNCLEAR THAT SECURITY ROLES ARE NOT INHERITED BY NEWINTEGRATION SERVERS WHEN USING FILE OR LDAP SECURITY.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • The knowledge center articles that discuss role-based security
do not make it sufficiently clear that newly created integration
servers do not inherit any roles that are defined on the
integration node. When an integration server is created and file
or LDAP security is active then no roles will be defined on this
new integration server. The roles defined on the integration
node are not inherited by the integration server.

The article "Configuring authorization for an integration node
by modifying the node.conf.yaml file" (bn28624) in the ACE v11
knowledge center contains a statement saying

"If you set permissions for the integration node, the settings
are inherited by each of its managed integration servers that
have not had specific permissions set. Any permissions that are
set for named integration servers will override those that are
set on the integration node."

This is not correct and should instead read:

"Every integration server managed by this integration node will
pick up the appropriate permissions section from the
node.conf.yaml unless it has a permissions section in its own
server.conf.yaml. An integration server will not inherit
permission settings defined for the integration node itself."

The analogous article in the IIB v10 knowledge center entitled
"Setting file-based or LDAP-based permissions" (bn28616) does
correctly state that permissions set on the integration node are
not applied to the integration servers.

The article "Permissions for acting on integration nodes,
integration servers, and resources" (bn28620) in the ACE v11 and
IIB v10 knowledge centers discuss that when using queue-based
security a newly created integration server will automatically
grant access to members of the mqbrkrs group. These articles do
not discuss the case of file or LDAP security where the newly
created integration server will have no permissions defined and
should be rectified to reflect this.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
All users of file or LDAP administration security in IBM
Integration Bus v10 and IBM App Connect Enterprise v11.


Platforms affected:
z/OS, MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
The knowledge center articles that discuss role-based security
does not make it sufficiently clear that newly created
integration servers do not inherit any roles that are defined on
the integration node. When an integration server is created and
file or LDAP security is active then no roles will be defined on
this new integration server. The roles defined on the
integration node are not inherited by the integration server.

The article "Configuring authorization for an integration node
by modifying the node.conf.yaml file" (bn28624) in the ACE v11
knowledge center contains a statement saying

"If you set permissions for the integration node, the settings
are inherited by each of its managed integration servers that
have not had specific permissions set. Any permissions that are
set for named integration servers will override those that are
set on the integration node."

This is not correct and should instead read:

"Every integration server managed by this integration node will
pick up the appropriate permissions section from the
node.conf.yaml unless it has a permissions section in its own
server.conf.yaml. An integration server will not inherit
permission settings defined for the integration node itself."

The analogous article in the IIB v10 knowledge center entitled
"Setting file-based or LDAP-based permissions" (bn28616) does
correctly state that permissions set on the integration node are
not applied to the integration servers.

The article "Permissions for acting on integration nodes,
integration servers, and resources" (bn28620) in the ACE v11 and
IIB v10 knowledge centers discuss that when using queue-based
security a newly created integration server will automatically
grant access to members of the mqbrkrs group. These articles do
not discuss the case of file or LDAP security where the newly
created integration server will have no permissions defined and
should be rectified to reflect this.

    



Problem conclusion


    

  • The Knowledge Center articles have been updated to reflect these
behaviours.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT32918
    • 

  • Reported component name
    INTEGRATION BUS
    • 

  • Reported component ID
    5724J0540
    • 

  • Reported release
    A00
    • 

  • Status
    CLOSED  DOC
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-05-19
    • 

  • Closed date
    2020-10-19
    • 

  • Last modified date
    2020-10-19
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            20 October 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback