Role-based authorization
Service integration messaging security uses role-based authorization. By adding and removing users and groups in access roles we can control who has access to a secured bus and its resources.
When bus security is enabled, we must add users and groups to access roles to grant them authority to connect to the bus, and to work with its messaging resources, for example a destination or a topic space. We can administer users and groups in access roles either using the administrative console, or using wsadmin reference commands.
Access roles
When we add a user to an access role, you grant that user all the security permissions contained within the role type. We can add users to the following access roles:
- Connector role
- Grants the user the permission to connect to the local bus.
- Sender role
- Grants he user the permission to send a message to a destination.
- Receiver role
- Grants the user the permission to receive a message from a destination.
- Browser role
- Grants the user the permission to browse messages on a destination.
- Creator role
- Grants the user the permission to create a temporary destination prefix.
Users and groups
Any user or group to add to an access role must have a definition in the user registry. A user that belongs to a group that has been added to an access role is authorized to carry out the operations permitted for that role.
There are three special types of groups:
- All Authenticated
- Contains all authenticated users. If the All Authenticated group is authorized to undertake an operation, then all authenticated users are authorized to undertake it. When a bus is created, an initial set of authorization permissions is created that allows all users in the All Authenticated group access all local destinations. We can change these permissions to restrict access to the specific users and groups to connect to the bus.
- Everyone
- Contains all users whether or not they are authenticated.
- Server
- Contains every WebSphere Application Server within a cell.
Messaging operations
When messaging security is enabled, all operations on the following resources require authorization:
- Buses
- When a user connects to a local bus, the system checks that the user has authorization to connect to the bus. For a user who has already connected successfully to a local bus to send a message to a destination on a foreign bus, the user requires authorization to access the foreign bus.
- Destinations
- Users require authorization to undertake messaging operations (typically send, receive, and browse) on a destination.
- Temporary destinations
- A user must have the creator role to create a temporary destination. By default, the All Authenticated group have the creator role. When an authorized user (a client application) creates a temporary destination, a temporary destination prefix is specified. The messaging engine uses the temporary destination prefix at runtime to determine which operations the client application can perform. A client application that has the sender role for a temporary destination prefix is authorized to send messages to the temporary destination.
- Topic spaces and topics
- To access a topic within a topic space, a user must be authorized to access both the topic space, and the specific topics within this topic space. To make topic authorizations easier to manage, a topic inherits authorization permissions from its parent in the topic namespace by default. We can change inherited permissions for any given topic, or we can disable inheritance at the topic space level for a given topic space. In this case, the system checks that the user is authorized to access the topic space, but no further checks are made at the topic level.
Default authorization permissions
The default authorization permissions allow us to quickly grant access to all local destinations. Although the All Authenticated group has full access to all destinations, only the Server group has the bus connector role. To have a particular user to access the bus, we must add that user to the bus connector role for the bus. When users have the bus connector role, they have full access to the bus.
The default permissions apply to all destinations in a local bus namespace, with the following exceptions:
- A destination for which inheritance is disabled
- Foreign destinations
- Alias destinations that have an alias bus name that is not the local bus name
Related:
Bus destinations Topic security Client authentication on a service integration bus Role-based authorization Publish/subscribe messaging and topic spaces Foreign destinations and alias destinations Add unique names to the bus authorization policy removeGroupFromAllRoles command removeUserFromAllRoles command populateUniqueNames command