|
Topics: |
A user is authorized to perform an operation only if that user is assigned with a role that has been granted the required permission for that operation. Users and their roles are configured in the authentication realm. When a realm authenticates a user, it creates a Principal that contains all of the security roles for the user. The list of roles that have been granted a particular permission is called an Access Control List (ACL). Assigning roles to users and granting permissions to roles is the responsibility of the security officer.
To execute an iWay Service Manager (iSM) operation, a user must either have the ism.admin role, <configname>.admin role, or another role assigned that has been granted the permission required for that command. The names of the specific permissions for iSM commands are built into the server.
The set acl command grants a permission to a role and assigns the role to either the general configuration or an application/configuration. If the role applies to a specific application/configuration, then the permissions associated with that role in the application/configuration are used. If the role is not applicable to the specific application/configuration, then the permissions associated with the role in the general server are used. For example, the devmgr role might offer the ability to control a development application, but deny any permissions for production applications other than review.
When using the set acl command to grant a permission to a role in an application, specify the configuration by name as follows:
set acl devserver/devmgr cmdstop -append
Roles can be assigned to server groups by use of regular expressions. For example, if your installation named all development servers with the prefix DEV_, then you might use the set acl command as follows:
set acl DEV_./devmgr cmdstop -append
The regular expression DEV_. indicates all servers beginning with the DEV_. prefix.
When checking permissions, the security system of iSM checks in the following order:
Note: The general permission ism.admin must be held by the user in order to use the set acl or set policy commands via the command line or the iSM Administration Console.
For example, to issue the start command, a user must have the required permission. The ACL for the start command is named cmdstart. For more information, see iSM Command and Corresponding ACL Names. In this scenario, a security officer has decided that a user with the permission starter can issue the start command. The ACL for the stop command is named cmdstop. In addition, the security officer has decided that the permission starter can also stop. To accomplish this, once when the server is installed, the security officer (with administrative authority) must issue the following commands:
set acl cmdstart starter
set acl cmdstop starter
At some point the security officer may decide to grant a user with the permission, startonly, the ability to start a channel, but not to stop a channel. The security officer issues the following command:
set acl cmdstart startonly
Next, the security officer creates an authentication realm. For more information on the authentication realm, see Realm Based Authentication.
For this example, a properties realm is defined (users.properties), which is commonly used for simple situations. The security officer creates two users, each with a name and password. Tom (password=tomspassword) can start and stop channels, but Fred (password=fredspassword) can only start channels.
The security officer adds the following settings to the properties realm (users.properties):
tom=tomspassword tom.role0=starter fred=fredspassword fred.role0=startonly
Additionally, the security officer decides that Tom can also run process flows from the command line. The security officer issues the following command:
set acl cmdflow flower
The security officer also adds the following line to the properties file:
tom.role1=flower
The roles of the command handler are listed in the following table.
|
iSM Command |
ACL Name |
|---|---|
|
Enqueue |
cmdflow |
|
Flow |
cmdflow |
|
Pull |
cmdpull |
|
Refresh |
cmdrefresh |
|
Remote |
cmdremote |
|
Run |
cmdrun |
|
Set acl |
cmdsetacl |
|
Set policy |
cmdsetpolicy |
|
set property |
cmdsetproperty |
|
Set register |
cmdsetregister |
|
Shell (or !) |
cmdsys |
|
Start |
cmdstart |
|
Stop |
cmdstop |