Administer authorization permissions
Service integration messaging security uses role-based authorization. When a user is assigned to a role, the user is granted all of the permissions that the role contains. By administering authorization permissions, we can control user access to a bus and its resources when messaging security is enabled.
For guidance on security authorization for a service integration bus, refer to Service integration security planning.
When a bus is created, a set of default authorization roles is created. Default roles provide authenticated users who have the bus connector role with full access to all local destinations on the bus. By default, only members of the Server group have the bus connector role. If a specific user needs to connect to the bus, we must explicitly add that user to the bus connector role.
We can make changes to authorization permissions when messaging security is enabled or disabled. Any changes that we make when security is disabled do not have any effect until security is enabled, as described in Disable bus security.
LDAP Registry Tip: When we specify the group authorization permissions, the group distinguished name (DN) must be used. If we specify a common name (CN) for the group name, users in that group do not have the specified authorities. For more details see Standalone LDAP registries.
When security is enabled, by default users cannot connect to a foreign bus. If a specific user needs to connect to a foreign bus, we must explicitly add that user to the foreign bus access list.
Subtopics
- Administer the bus connector role
Adding a group of users to the bus connector role for a local bus grants the members of the group permission to access local bus destinations. Use the administrative console to list, add and remove groups of users in the bus connector role.- Administer default roles
Service integration bus security uses role-based authorization. By adding a user or a group to the default roles for a secured bus, we can control which users and group members have access to the bus and its resources in the default roles when messaging security is enabled.- Administer destination roles
Service integration bus security uses role-based authorization. When messaging security is enabled, users and groups must have authority to undertake messaging operations, at a bus destination. By administering destination roles, we can control which users and groups can undertake operations at a bus destination, and the types of operations that they can perform.- Administer foreign bus roles
Service integration bus security uses role-based authorization. When messaging security is enabled, groups of users require authority to send messages from a local bus destination to a foreign bus. By listing, adding and removing users and groups in foreign bus roles, we can control who can send messages to foreign buses.- Administer temporary destination prefix roles
Service integration bus security uses role-based authorization. A temporary destination prefix can have two role types: creator and sender. The messaging engine uses the temporary destination prefix at runtime to determine which users and groups have authority to create a temporary destination, and send messages to temporary destinations. By administering temporary destination prefix roles for a bus, you control which users and groups can create and send messages to temporary destinations for a selected bus.- Administer topic space root roles
Service integration bus security uses role-based authorization. When messaging security is enabled, groups of users require authority to send and receive messages from the topic space root in a publish/subscribe topic hierarchy. By adding and removing users and groups in topic space root roles, we can control access to the topic space root.- Administer topic roles
Service integration bus security uses role-based authorization. When messaging security is enabled, users and groups require authority to access a topic in a publish/subscribe topic hierarchy. By adding and removing users and groups in topic roles, we can control access to the topic.- Removing access roles from unknown users and groups
Service integration bus security uses role-based authorization. Users and groups are assigned to access roles for specific bus resources. If a user or a group that has access roles is removed from the user repository, it becomes an unknown user. We can identify the unknown users and groups for a selected bus, and removes their access roles.
Related:
Messaging security Client authentication on a service integration bus Role-based authorization Fine-grained administrative security Disable bus security Enable client SSL authentication Secure messages between messaging buses Secure access to a foreign bus Secure links between messaging engines Controlling which foreign buses can link to your bus Secure database access Secure mediations Administer the bus connector role populateUniqueNames command Secure buses Add unique names to the bus authorization policy Administer permitted transports for a bus