Writer instructions

Page title

For most spaces, this page must be titled Space announcements.

For spaces with localized content, this page must be titled Space announcements l10n.

Purpose

Provide an announcement banner on every page of your space.

Location

Move this page outside of your home branch.

Guidelines

Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see MainView Middleware Administrator 9.1.

Setting security strategies

Security is a word that has different meanings and implications in MainView Middleware Administrator (MVMA). Security is not a set of static functions but rather a dynamic set of interactions and behaviors.

If we look at administrative actions that relate to security we can identify:

  • Site Planning: This includes awareness of the role of the enterprise security team. In most enterprises, established security procedures will affect which security model to apply.
  • Users/Groups Management: This is about configuring and managing users and groups within the application and enterprise spaces. It relates to authentication and authorization, which are described below.
    Users/groups administration is functionally separate from the Product Administration task of associating users and groups with specific projects. This remains your responsibility regardless of the MVMA security model implementation.
  • Project Administration: Project administration also has aspects that relate to security. This includes assigning permissions to users and groups, and associating connections with those projects. Project administration affects enterprise security in that user ability to act on various connections may affect both performance and security.

Authentication

Authentication is the process of checking and allowing, or checking and denying user credentials on logon.  Authentication is implemented in different ways in the five MVMA security models. In each, the authentication portion is expressed in the first of the two-string model name, separated by an underscore.

Authorization

Authorization includes two aspects, each directly related to product administration:

  • User/Groups administration: the means of creating/configuring and administering users and groups. As in the case of authentication, authorization functions can be treated internally or externally.
  • Permissions assignments: Permissions are the individual rights that let users act upon IBM WebSphere MQ or TIBCO EMS connections. Responsibility for their assignment always remains within the Administrator’s realm.

Users are the enterprise’s user population in general. Groups are sets of users that are associated because of common characteristics or use patterns. Specifically, an Administrator creates user groups to associate with specific projects.

Groups are logically associated with certain managed connections. Creating groups consolidates and simplifies user association with a project. Specifically, it enables the Administrator to batch-assign permissions to users.

User Permissions

A permission is a user right that enables access to a particular function performed on an IBM WebSphere MQ queue manager or TIBCO EMS server. In MVMA, permissions are assigned to principals (users and groups) on a per-project basis.

The association of connections with a project implicitly gives users access to them. The assignment of permissions enables that access.

Note

The user accesses object properties in the Properties Editor. His or her ability to edit a specific property depends on assigned permissions levels.

Permissions within MVMA include:

  • Inquire: Lets users see all accessible project objects and view their properties; Inquire does not let a user create new objects or delete existing objects, change properties or browse messages.
  • Read: Allows user to browse messages within the message manager.
  • Write: Lets user modify and create messages in the message manager.
  • Delete: Allows user to delete messages in the message manager.
  • Operator: Enables full administrative permission on existing middleware objects, but without the ability to create new objects or delete existing objects.
  • Administration: Lets the user create new objects and administer existing ones.

Note

Neither operator or administration privileges include message access. You must have Read, Write or Delete privileges in order to access messages.

Permissions and Security

Assigning permissions to users controls access to IBM WebSphere MQ and TIBCO EMS connections within MVMA projects.

Permissions allow users to modify aspects of a queue manager or server. Thus, users might make changes in those objects that impact system security aspects.

If security problems arise because of the assignment of permissions, you can remove specific permissions from a user, delete the user from a specific project, disable a user, or delete a user altogether.

LDAP and Active Directory

LDAP (Lightweight Directory Access Protocol) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

LDAP works from a specific functional set that facilitates operational requests for executing user authentication requests. When using an external source for either authentication or authorization, Microsoft’s Active Directory is the most common tool. MVMA supports both Active Directory and SunONE LDAP server.

Note

Within LDAP, group membership can be recursive. If a user is added to a group that nests within a second group, that user becomes a member of both groups.

The security models that use LDAP are:

  • LDAP_ADMIN
  • LDAP_LDAP
  • PREAUTH_LDAP

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*