+

Search Tips   |   Advanced Search

Role-based authorization

Service integration messaging security uses role-based authorization. By adding and removing users and groups in access roles we can control who has access to a secured bus and its resources.

When bus security is enabled, add users and groups to access roles to grant them authority to connect to the bus, and to work with its messaging resources, for example a destination or a topic space. We can administer users and groups in access roles either using the console, or by using wsadmin reference commands.


Access roles

When we add a user to an access role, you grant that user all the security permissions contained within the role type. We can add users to the following access roles:

Connector role

Grants the user the permission to connect to the local bus.

Sender role

Grants he user the permission to send a message to a destination.

Receiver role

Grants the user the permission to receive a message from a destination.

Browser role

Grants the user the permission to browse messages on a destination.

Creator role

Grants the user the permission to create a temporary destination prefix.


Users and groups

Any user or group to add to an access role must have a definition in the user registry. A user that belongs to a group that has been added to an access role is authorized to carry out the operations permitted for that role.

There are three special types of groups:

All Authenticated

Contains all authenticated users. If the All Authenticated group is authorized to undertake an operation, then all authenticated users are authorized to undertake it. When a bus is created, an initial set of authorization permissions is created that allows all users in the All Authenticated group access all local destinations. We can change these permissions to restrict access to the specific users and groups to connect to the bus.

Everyone

Contains all users whether or not they are authenticated.

Server

Contains every WebSphere Application Server within a cell.


Messaging operations

When messaging security is enabled, all operations on the following resources require authorization:

Buses

When a user connects to a local bus, the system checks that the user has authorization to connect to the bus. For a user who has already connected successfully to a local bus to send a message to a destination on a foreign bus, the user requires authorization to access the foreign bus.

Destinations

Users require authorization to undertake messaging operations (typically send, receive, and browse) on a destination.

Temporary destinations

A user must have the creator role to create a temporary destination. By default, the All Authenticated group have the creator role. When an authorized user (a client application) creates a temporary destination, a temporary destination prefix is specified. The messaging engine uses the temporary destination prefix at runtime to determine which operations the client application can perform. A client application that has the sender role for a temporary destination prefix is authorized to send messages to the temporary destination.

Topic spaces and topics

To access a topic within a topic space, a user must be authorized to access both the topic space, and the specific topics within this topic space. To make topic authorizations easier to manage, a topic inherits authorization permissions from its parent in the topic namespace by default. We can change inherited permissions for any given topic, or we can disable inheritance at the topic space level for a given topic space. In this case, the system checks that the user is authorized to access the topic space, but no further checks are made at the topic level.


Default authorization permissions

The default authorization permissions enable you to quickly grant access to all local destinations. Although the All Authenticated group has full access to all destinations, only the Server group has the bus connector role. If we want a particular user to access the bus, add that user to the bus connector role for the bus. When users have the bus connector role, they have full access to the bus.

The default permissions apply to all destinations in a local bus namespace, with the following exceptions:


Related concepts

  • Bus destinations
  • Topic security
  • Client authentication on a service integration bus
  • Role-based authorization
  • Publish/subscribe messaging and topic spaces
  • Foreign destinations and alias destinations


    Related tasks

  • Add unique names to the bus authorization policy

  • removeGroupFromAllRoles command
  • removeUserFromAllRoles command
  • populateUniqueNames command