Granting limited access to a queue manager

In this scenario user Frank is granted access to use the IBM® MQ Console to view details about a single queue manager.

About this task

There are two stages to configuring a user to have access to a single queue manager, and no other parts of the IBM MQ or appliance configurations.

Firstly you create a user group that gives user access to the IBM MQ Console and add Frank to that group. You use the IBM MQ Appliance web UI to complete this stage.

Then you create a messaging user of the same name (Frank) so that MQ authorities can be granted to Frank by using the MQ object authority manager (OAM). You use the IBM MQ command line, MQCLI, to complete this stage.

Procedure

  • To create a user group with access to the IBM MQ Console, and add Frank to it, complete the following steps:
    1. Start the IBM MQ Appliance web UI, and click the administration icon shows the administration icon.
    2. Select Access > User Group.
    3. Click Add.
    4. Enter a name for the user group, in this case enter MQConsoleLimited.
    5. Specify the following access policies in the access profile:
      • Define an access policy that enables group members to log into the IBM MQ Console. Click Add and enter the following policy: 
        */*/login/web-mgmt?Access=r
      • Define another access policy that grants group members the required permission to access IBM MQ in the IBM MQ Console. Click Add and enter the following policy: 
        */*/mq/webuser?Access=x
      • Define another access policy that grants users in the group authority to change their own password. Click Add and enter the following policy: 
        */*/access/change-password?Access=x
      You can also use the policy builder to define the access policies. If you use the builder, specify the following resources:
      • Web-Mgmt (read privilege)
      • MQ Web User (execute privilege)
      • Change User Password (execute privilege)
    6. Create a user account for Frank. Select Access > User Account and specify Frank as the user name.
    7. Select an Access level of Group defined, and in User group select the MQConsoleLimited group that you just created.
    8. Click Apply to create the user account.
  • To define a messaging user, complete the following steps:
    1. Log into the appliance command line, and enter the MQ CLI: 
      mqa# mqcli
mqa (mqcli)#
    2. Create the messaging user Frank: 
      mqa (mqcli)# usercreate -u Frank
      You do not need to specify a password because the appliance user password is used to log in to the IBM MQ Console. See Administering messaging users for more information about messaging users.
    3. You must now run MQ authority commands to give Frank the required access. You can define the access by using MQSC, and you can grant access directly to Frank (you could also define a messaging group, add Frank to it, and grant access to that group). Assuming Frank only wants to display information about the queue manager QM1 and the queues defined on it, run the following MQSC commands to grant Frank access to the IBM MQ Console to display QM1 and associated queues: 
      mqa (mqcli)# runmqsc QM1
5724-H72 (C) Copyright IBM Corp. 1994, 2025.
Starting MQSC for queue manager QM1.
SET AUTHREC PROFILE(SYSTEM.ADMIN.COMMAND.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('Frank') AUTHADD(PUT)
SET AUTHREC PROFILE(SYSTEM.REST.REPLY.QUEUE) OBJTYPE(QUEUE) PRINCIPAL('Frank') AUTHADD(PUT,GET,INQ,BROWSE)
SET AUTHREC OBJTYPE(QMGR) PRINCIPAL('Frank') AUTHADD(DSP)
SET AUTHREC PROFILE(**) OBJTYPE(QUEUE) PRINCIPAL('Frank') AUTHADD(DSP)
      You could use the IBM MQ Console instead of runmqsc to define the MQ authorities for Frank, if required.