Operations performed in the IBM® MQ Console, or
REST API, by a user in the MQWebUser
role take place under the security context of
the user.
About this task
See Roles on the IBM MQ Console and REST API for more information on the roles in the IBM MQ Console and REST API.Use the following procedure to grant
a user, in the MQWebUser
role, access to the queue manager resources required to
use the IBM MQ Console or REST API.
Procedure
-
Grant the mqweb server started task user ID alternate user access to each
user ID in the
MQWebUser
role.
Do this on every queue manager that users will administer through the
IBM MQ Console or
REST API.
You can use the following sample
RACF® commands to grant the
mqweb server started
task user ID alternate user access to a user in the
MQWebUser
role:
RDEFINE MQADMIN hlq.ALTERNATE.USER.userId UACC(NONE)
PERMIT hlq.ALTERNATE.USER.userId CLASS(MQADMIN) ACCESS(UPDATE) ID(mqwebUserId)
SETROPTS RACLIST(MQADMIN) REFRESH
where:
hlq
- Is the profile prefix, that can be either the queue manager name, or queue sharing group
name
userId
- Is the user in the
MQWebUser
role
mqwebUserId
- Is the mqweb server started task user ID
Note: If you are using mixed-case security, use the MXADMIN class rather than the MQADMIN
class.
-
Grant each user in the
MQWebUser
role access to system queues that are
necessary to use the IBM MQ Console and REST API.
To do this, for both the SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.REST.REPLY.QUEUE, give each
user UPDATE access to the MQQUEUE or MXQUEUE classes, depending on whether mixed-case security is in
use.
You need to do this on every queue manager that the user will administer through the REST API, including remote queue managers administered through
the administrative REST API gateway.
-
To allow a user in the
MQWebUser
role to administer remote queue managers,
grant the user UPDATE access to the profile in the MQQUEUE or MXQUEUE class, protecting the
transmission queue used to send commands to the remote queue manager. Note that you need to give
the user UPDATE access on the gateway queue manager.
On the remote queue manager, grant access for the same user, to put to the transmission queue
used to send command response messages back to the gateway queue manager.
-
Grant the users in the
MQWebUser
role access to any other resources required
to perform the operations supported by the IBM MQ Console
and REST API.