Configuring user access to the IBM MQ Console, REST API, and the CLI
You can configure the appliance so that different users have different levels of access to the IBM® MQ Console, the REST API, and the CLI.
Users can administer IBM MQ on the appliance in
different ways and can be individually granted, or denied, access to these tools. Access is
controlled by using the appliance access policies, which provide the equivalent functionality to
that described for IBM MQ on other platforms in Roles on the IBM MQ Console and REST
API in the main IBM MQ documentation. The
following table maps the IBM MQ role names onto the
available appliance access policies:
| IBM MQ roles | Appliance access policy |
|---|---|
| MQWebAdmin | mq/webadmin?Access=r+w |
| MQWebAdminRO | mq/webadmin?Access=r |
| MQWebUser | mq/webuser?Access=x |
| MFTWebAdmin | mq/mftwebadmin?Access=r+w |
| MFTWebAdminRO | mq/mftwebadmin?Access=r |
To illustrate how you can configure the appliance in this way, this topic implements the
following scenario:
- Alice requires full administrative access to both appliance system settings and IBM MQ.
- Bob requires administrative access to appliance system settings but he does not require access to IBM MQ.
- Carlos requires full administrative access to the IBM MQ Console but no access to appliance system settings.
- Dave requires full administrative access to the IBM MQ Console, REST API, and IBM MQ CLI.
- Erin requires read-only administrative access to the IBM MQ Console so she can monitor IBM MQ and its configuration.
- Frank requires limited access to one queue manager using the IBM MQ Console.
- The id MQAPP is added as a messaging user and given the MQWebUser role to enable access to the messaging REST API. This user has no administrative access to IBM MQ (or to the appliance).