Configuring access to the MQ Console and CLI on the IBM MQ Appliance
Jamie Squibb 2700061B5H Visits (2489)
I have received a few queries asking how to configure access to the MQ Console and the command line interface (CLI) in version 9 of the IBM MQ Appliance. In response to these queries this article provides a worked example that demonstrates how to configure a number of local users with different levels of authority. The same principles apply if appliance users are defined in an XML file or in an LDAP repository. Hopefully this article provides a useful reference for administrators who need to implement similar policies.
For the purpose of this article let’s assume we need to create the following user accounts:
Full administrative access to system settings and MQ
To configure a user account for Alice that has full administrative access to both system settings and MQ there are two available options.
Option 1: Create a privileged local user account for Alice
To create a privileged user account using the UI:
Option 2: Add Alice to a user group that grants full administrative access
To define a user group that grants full administrative access using the UI:
To create a user account that is a member of the group follow the steps for creating a privileged user but select the access level Group defined then the name of the user group.
Full administrative access to system settings but no access to MQ
To configure a user account for Bob that has full administrative access to system settings, but no access to MQ, a user group must be created as per option 2 for Alice. The access profile needs to have the following access policies:
The resulting access profile should look as below (note the boxes are not wide enough to show the entire access policy for the last two entries):
Full administrative access to the MQ Console but no access to system settings
To configure a user account for Carlos that has administrative access to the MQ Console we similarly need to create a user group with the appropriate authority level. Carlos does not require access to view or modify system settings on the appliance so this time we don’t start with a generic profile that grants full access. Instead, we grant only the minimum authority to allow Carlos to use the MQ Console. The access profile needs to have the following access policies:
Finally create a group-defined user account for Carlos and assign him to the group.
Full administrative access to the MQ Console and the MQ CLI
In our scenario Dave has similar access requirements to Carlos, but Dave also needs access to the MQ CLI so he can perform additional actions. To grant Dave this access we need to create a user group as per for Carlos but with the following additional access policies:
Read-only administrative access to the MQ Console
Let's assume Erin is an auditor who requires access to view the MQ configuration but she does not require access to perform modifications. Once again we need to configure her user account to be associated with a user group that has the appropriate authority. The user group for Erin needs to be configured as per for Carlos who requires full administrative access, except only the Read privilege should be granted to the MQ Web Administration resource type.
It is worth noting that when creating a new user group the access profile is pre-populated with the default access policy */*/*?Access=r. This policy grants read-only authority to every resource type, which includes MQ Web Administration. If Erin also requires access to view system settings as well as the MQ configuration then this default profile is likely to be a good starting point. Additional policies can be appended to the profile to add or revoke specific authority, such as granting the authority for users to change their password.
Limited access to one queue manager using the MQ Console
The last example I’ll cover in this article is for Frank, who requires some limited access to one queue manager on the appliance, He does not require access to the remainder of the MQ configuration. Configuring access for Frank is a little more involved than for the other examples I’ve covered, but hopefully it will be easy to understand.
Step 1: Appliance user setup
Firstly, we need to configure an appliance user account for Frank. As per for the other examples a user group must be created that grants access to login to the appliance UI, and which this time grants user access to the MQ Console instead of administrative access. Create a user group with an access profile that contains the following access policies:
Create a group-defined user account for Frank, for example called frank, and assign it to the group.
Step 2: Messaging user setup
User access to the MQ Console requires a messaging user of the same name to be defined so that MQ authorities can be granted to it using the MQ object authority manager (OAM). To create the messaging user login to the appliance using SSH, enter the MQ CLI using the mqcli command, then use the usercreate command, such as:
usercreate –u frank
Note that a password is not required for the messaging user because the appliance user password is used to access the MQ Console. For more information about defining messaging users see the Administering messaging users topic in Knowledge Center at http
Once a messaging user has been defined for Frank then MQ authority commands must be run to grant him the access he requires. This access can be defined to the OAM using MQSC (or equivalent) and it can be granted directly to Frank’s user ID or to a messaging group his ID belongs to.
Let’s assume that Frank only requires authority to display information about the queue manager QM1 and the queues defined on it. The following MQSC commands, when run on QM1, allow Frank to access the queue manager using the MQ Console:
The following MQSC commands grant Frank the authority he requires to display information about the queue manager and its queues:
Putting it together
If you need to create other users with limited access to the MQ Console you need to repeat both steps, but you can reuse the same user group defined for Frank in step 1. If you need a number of users with the same authority consider using a messaging group in step 2 instead of defining authorities for each principal (user) individually.
Below is an example screenshot of the MQ Console to demonstrate the restricted access that Frank has been granted. It shows that his user does not have access to view topic objects on queue manager QM1 because he was only granted access to view the queue manager and queue objects. It similarly shows he does not have access to view queues on queue manager QM2.
This article has shown how to configure users on the MQ Appliance with different levels of access to the MQ Console and the MQ CLI. Thank you for reading and I hope you found it useful.
Introducing the MQ Appliance Version 9.0.1
MQ Appliance v9.0.1 Console overview
IBM Knowledge Center: IBM MQ Appliance 9.0.x
IBM Knowledge Center: IBM MQ Console security
IBM Knowledge Center: Administration using the IBM MQ Console
Introducing Role-Based Management (RBM) for the IBM MQ Appliance
Bitesize Blogging: MQ 9.0.1 - IBM MQ Console Role Based Access Control
What’s new for the IBM MQ Console in 9.0.1