User authorization, credential mapping, and access profiles

The credential mapping part of role based management authorizes appliance users to use different features on the IBM® MQ Appliance.

When you define credential mapping under role based management, you specify which resources appliance users have access to. Credential mapping provides a high degree of granularity in which resources can be excluded or included. For example, you can specify that a user can be mapped onto a set of credentials that allow modification of network settings, but prohibit changing user settings.

Access that appliance users have to resources is controlled by an access profile. The access profile defines the set of privileges for one or more resources on the appliance. Privileges for a resource can be one or more of the following permissions:
  • Read
  • Write
  • Add
  • Delete
  • Execute
A bundle of access rights (also termed access policies) constitutes an access profile. An access profile can originate from either of the following credential mapping sources:
Local user group
Locally configured user group.
XML file
A file that defines access profiles.
After an appliance user is authenticated and the access profile is evaluated, the appliance enforces the established access profile. The IBM MQ Appliance web UI displays only resources that the user has access to, and the command line recognizes only commands for resources that the user has access to. For commands that users do not have access to, the command line displays the following message.
Unknown command or macro (command)

Access to IBM MQ resources

The following resources control administrative access by appliance users to IBM MQ on the appliance:
mq/cli
Granting execute permission on this resource allows the user to use the IBM MQ commands on the command line. The user can issue the mqcli command and administer the MQ aspects of the system. Users can access the command line by using SSH or by using the serial command line connection to the appliance. All permissions other than execute on the mq/cli resource are ignored.
mq/webadmin
Granting read/write permission to this resource allows the user to administer IBM MQ by using the IBM MQ Console and the MQ REST API. Granting read permission only allows the user only to view IBM MQ objects by using the IBM MQ Console and the MQ REST API, but not to change anything. All other permissions on this resource are ignored.
mq/webuser
This resource allows you to delegate the MQ authority checks for this appliance user to a matching messaging user. A messaging user with the same name must be defined on the appliance by using the messaging user and group commands (see Messaging user and group commands). The authorities for this messaging user are used for all operations in the IBM MQ Console and for the MQ REST API. Grant execute permission on the mq/webuser resource to represent 'execution with delegated authority'. Other permissions against this resource are ignored.
mq/mftwebadmin
Granting read/write permission to this resource allows the user to perform all Managed File Transfer (MFT) operations using the MQ REST API. Granting read permission allows the user only to perform read only operations (GET requests), such as list transfer and list agents. All other permissions on this resource are ignored.

See Roles on the IBM MQ Console and REST API in the IBM MQ documentation for more details about IBM MQ resources.