Access to IBM MQ resources required to use the IBM MQ Console or REST API

Operations performed in the IBM® MQ Console, or REST API, by a user in the MQWebUser role take place under the security context of the user.

About this task

See Roles on the IBM MQ Console and REST API for more information on the roles in the IBM MQ Console and REST API.

Use the following procedure to grant a user, in the MQWebUser role, access to the queue manager resources required to use the IBM MQ Console or REST API.

Procedure

  1. Grant the mqweb server started task user ID alternate user access to each user ID in the MQWebUser role.
    Do this on every queue manager that users will administer through the IBM MQ Console or REST API.
    You can use the following sample RACF® commands to grant the mqweb server started task user ID alternate user access to a user in the MQWebUser role:
    
    RDEFINE MQADMIN hlq.ALTERNATE.USER.userId UACC(NONE)
    PERMIT hlq.ALTERNATE.USER.userId CLASS(MQADMIN) ACCESS(UPDATE) ID(mqwebUserId)
    SETROPTS RACLIST(MQADMIN) REFRESH
    
    where:
    hlq
    Is the profile prefix, that can be either the queue manager name, or queue sharing group name
    userId
    Is the user in the MQWebUser role
    mqwebUserId
    Is the mqweb server started task user ID
    Note: If you are using mixed-case security, use the MXADMIN class rather than the MQADMIN class.
  2. Grant each user in the MQWebUser role access to system queues that are necessary to use the IBM MQ Console and REST API.
    To do this, for both the SYSTEM.ADMIN.COMMAND.QUEUE and SYSTEM.REST.REPLY.QUEUE, give each user UPDATE access to the MQQUEUE or MXQUEUE classes, depending on whether mixed-case security is in use.

    You need to do this on every queue manager that the user will administer through the REST API, including remote queue managers administered through the administrative REST API gateway.

  3. To allow a user in the MQWebUser role to administer remote queue managers, grant the user UPDATE access to the profile in the MQQUEUE or MXQUEUE class, protecting the transmission queue used to send commands to the remote queue manager. Note that you need to give the user UPDATE access on the gateway queue manager.

    On the remote queue manager, grant access for the same user, to put to the transmission queue used to send command response messages back to the gateway queue manager.

  4. Grant the users in the MQWebUser role access to any other resources required to perform the operations supported by the IBM MQ Console and REST API.
    The access needed to: