Users and applications

IBM® MQ as a Service access control is managed by the Identity and Access Management (IAM) service in IBM Cloud®, or by the IBM SaaS Console in AWS. Permissions are mapped to access rights in the IBM MQ queue managers within your IBM MQ service instance. This topic describes how that mapping is achieved.

IBM MQ as a Service makes a distinction between Administrators and Applications, which in IAM terminology are equivalent to Users and Service IDs. Both these entities are capable of accessing an IBM MQ queue manager but they are in different groups and have different access rights.

Administrators are given an IAM access policy that automatically adds them to the standard mqm group for all queue managers in their service instance, and therefore they have full administrator access rights.

Applications are given an IAM access policy which automatically adds them to the mqwriters group. This group gives applications permission to read/write to queues in the queue manager, but does not give them administration privileges.

On deployment of a queue manager within IBM MQ as a Service, two channels are created for you:

  • CLOUD_ADMIN_SVRCONN is a channel for administration, and is therefore accessible by Administrators.
  • CLOUD_APP_SVRCONN is a channel for queue access, and is therefore available to Applications.

IBM MQ Usernames

To access an IBM MQ as a Service queue manager, a username and a password are required. The username is restricted to 12 characters and must contain only lowercase characters (a-z) and numbers (0-9).

When creating users and applications in IBM MQ as a Service, you are required to give these entities a name (for an administrator, this must be a valid email address) from which a shorter name called an MQ username is generated. This shorter user name is based on the email address, but is guaranteed to be unique within the service instance, and also conform to the required format of an IBM MQ username.

Passwords

At the IBM MQ as a Service level, access control is implemented using API keys. These are used by the system as the passwords associated with users and applications at the IBM MQ level.

In the panel showing the list of queue managers in your service instance, there are two tabs that allow you to create user credentials and application credentials.

shows the users credentials and applications credentials tabs
Important: Administrators must generate and use their own Administrator API key. This must be used as their password to connect to a queue manager.

The Application credentials panel enables you to create an individual API key associated with a specific application. This is the password to be used with that application when connecting to all queue managers in your service instance, and so each application has a different password.