Role-based authorization

Messaging security uses a simple role model in which a role contains the authorization permission required to perform a given operation. If messaging security is switched on, you must give any users who connect to a bus permission to carry out the operations that they need to perform. You do this by assigning them to the appropriate role or roles.

Note: A user is the entity that performs an operation such as initiating the sending of a message to a destination.

Roles

When you assign a user to a role, this grants the user all of the permissions that the role contains. Users can belong to groups, which are defined in the user registry, and you can also assign a group to a role. In this case, all the users who are members of the group are authorized to carry out the operations for which this role contains permissions. There are three special groups of users:

You can assign a user or group to the following types of roles:

Operations requiring authorization

When messaging security is switched on, all operations on the following objects require authorization:

Buses
When a user connects to a local bus, before the user is allowed to perform any further operations, a check is made that this user has permission to connect to this bus. If a user connected to a local bus wants to send a message to a destination in a foreign bus, the user must also be authorized to access the foreign bus.
Destinations
Users require authorization to send, receive, or browse all types of destination. Users who create a temporary destination need to be granted create permission on the destination prefix on which the temporary destination is based. The authorization permissions of a temporary destination are the same as those of the destination prefix on which it is based. The name of this special destination prefix appears as a prefix in the temporary destination name.
Topic spaces and topics
To access a topic within a topic space, a user must be authorized to access both the topic space, and the specific topics within this topic space. To make topic authorizations easier to manage, a topic by default inherits authorization permissions from its parent in the topic namespace. However, you can change these inherited permissions for any given topic, or you can turn this level of authorization off altogether for a topic space, in which case a check is made that the user is authorized to access the topic space, but no further checks are made at the topic level.

Default authorization permissions

The default authorization permissions provide you with a way of quickly granting access to all local destinations. While all authenticated users have full access to all destinations, only the Server user will have the bus connector role. The administrator needs to specifically grant users access to the bus. Once the administrator has done that the user has full access to the bus.

The default permissions apply to all destinations in a local bus namespace. Three exceptions:




Related concepts
Topic security
Authentication
Role-based authorization
Publish/subscribe messaging and topic spaces
Alias destinations
Learning about service integration security
Related tasks
Administering messaging security
Administering default roles through the command line
Configuring users and groups in the bus connector role through the command line
Administering foreign bus roles through the command line
Administering destination roles through the command line
Controlling which foreign buses can link to your bus
Administering access to foreign destinations
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 6:03:36 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-iseries&topic=cjr0450_
File name: cjr0450_.html