Administering authorization permissions

Messaging security uses role-based authorization. When a user is assigned to a role, the user is granted all of the permissions that the role contains. By administering authorization permissions, you can control user access to a bus and its resources when messaging security is switched on.

Before you begin

You can administer authorization permissions using the wsadmin tool. For more information about scripting, see Getting started with scripting. For bus connector roles only, you can also use the administrative console to administer authorization permissions. For further details, refer to Administering bus connector roles. For guidance on the type of changes you may need to make to authorization permissions, refer to Planning your service integration security.

About this task

When a bus is created, an initial set of default authorization roles is created that allows all authenticated users who have the bus connector role full access to all local destinations on the bus. By default only the Server group has the bus connector role.

Note that by default, when security is enabled, users do not have access to a foreign bus. You need to explicitly add a specific user to the foreign bus access list. For details of the task, see Adding users and groups to foreign bus roles using the wsadmin tool.

You can make changes to authorization permissions when messaging security is enabled or disabled. Any changes that you make when security is disabled will not have any effect until security is enabled, as described in Enabling and disabling messaging security.
LDAP Registry Tip: When you specify the group authorization permissions, the group distinguished name (DN) must be used. If you specify a common name (CN) for the group name, users in that group do not have the specified authorities. For more details see Standalone Lightweight Directory Access Protocol registries.

To configure permissions, complete the following steps using the wsadmin tool:

  1. Open a wsadmin command session.
    [iSeries] Note: You open a wsadmin command session from within Qshell. For more information, see the topic "Configure Qshell to run WebSphere® Application Server scripts".
  2. Type the required command.
The following syntax is used for the commands. For details of the command properties, see the topics listed below.
variable
A variable, for which you type a value. The commands use the following variables:
  • destinationType
  • busName
  • foreignBusName
  • destinationName
  • topicSpaceName
  • topicName
  • roleName
  • userName
  • groupName
<true|false>
A choice of options, from which you type one value (that is, either true or false).

Use the commands in the topics listed below to configure the authorization permissions for a bus to meet your security requirements.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 2:56:59 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-dist&topic=tjr0380_
File name: tjr0380_.html