Professional Documents
Culture Documents
IBM Integration
Toolkit IBM Integration Third-party
and Commands web console tools
IBM Integration
Explorer
Authorization
queues
Administration
and security
Integration
node Integration node
queue manager
Authorization
queues
WebSphere MQ
Object Name permissions
Queue manager Queue manager that is associated with • Connect
the integration node • Inquire
Queue SYSTEM.BROKER.DEPLOY.QUEUE • Put
Queue SYSTEM.BROKER.DEPLOY.REPLY • Get
• Put
Queue SYSTEM.BROKER.AUTH • Inquire
Inquire/Read +inq
Put/Write +put
Set/Run +set
1
In IBM Integration Explorer, right-click
an authorization queue and click
Object Authorities > Manage
Authority Records
2
Select a queue under
Specific Profiles and
then click New to create a
new profile
© Copyright IBM Corporation 2013
Creating authorization permissions (2 of 2)
3
Enter the group or user name
(based on Entity type)
4
Set permissions
5
Click OK
© Copyright IBM Corporation 2013
Granting and revoking authority from a command
• setmqaut command grants and revokes authorities cumulatively
• Command is cumulative
– Set authorities explicitly on each setmqaut command to avoid retaining
unwanted pre-existing authorities
– Granting and revoking is achieved by specifying -all to remove all authorities,
followed by the required authorities
• Use the dspmqaut command to check that object authorities are set
correctly
• Revoke run and write authority for a specific integration server that is
called “default”:
setmqaut -m test -t queue -n SYSTEM.BROKER.AUTH.default
-g group5 -set -put
In a command
1. Open the IBM Integration Console.
2. Enter the mqsicreateconfigurableservice command.
Example:
mqsicreateconfigurableservice IB9NODE -c SecurityProfiles -o LDAP -n
authentication,authenticationConfig,authorization,authorizationConfig,
propagation –v
"LDAP,\"ldap://ldap.acme.com:389/ou=sales,o=acme.com\",LDAP,
\"ldap://ldap.acme.com:389/cn=All Sales,ou=acmegroups,o=acme.com\",TRUE"
mqsiwebuseradmin brokerSpec -c | -m | -d
-u useracct [-a password] [-r role] [-w timeoutSecs]
[-v traceFileName]
• List (-l) the web users that are defined within the integration node, and
the roles with which they are associated
• Create (-c) a web user account where the user account parameter
(-u) is the account name
– If role (-r) is not specified, a default role is created with the same name as the
web user account.
• Modify (-m) a web user account
• Delete (-d) a web user
2. c