Credential mapping with an XML file

You can configure the IBM® MQ Appliance to map user names onto access policies that are defined in an XML file.

You create an XML file that contains policy details. The same file can contain user authentication details.

The policy defines the set of permissions that a user has to the various appliance resources. This feature is known as user authorization. A user name is mapped onto these policies according to the user authentication method:

If users are authenticated by using LDAP, then the user's distinguished name is the input credential for policies that are defined in the XML file. If the appliance is configured to look up groups the user belongs to in an LDAP server, then the returned attribute that is specified in the LDAP search parameters is used as the input credential for each group instead.
If users are authenticated by using an XML file, then the same user credential is used as input for policies that are defined in the XML file.
If you use local user definitions, then the user name is the input credential for policies that are defined in the XML file.

An example XML file is given in Example RBM XML file. This file defines the following credentials:

<!-- AUTHORIZATION -->
  
  <!-- (1) direct mapping of user to policy -->
  
  <!-- user to policy mapping -->
  <MapCredentials>
      <InputCredential>devadmin</InputCredential>
      <OutputCredential>
        */*/*?Access=rwadx
      </OutputCredential>
  </MapCredentials>

  
  <!-- (2) mapping of user to group to policy -->
   
  <!-- user to group mapping -->
  <MapCredentials>
      <InputCredential>user</InputCredential>
      <OutputCredential>useradmin</OutputCredential>
  </MapCredentials>

  <!-- LDAP user to group mapping -->
  <MapCredentials>
      <InputCredential>uid=tuser,ou=people,dc=cambridge,dc=ibm,dc=com</InputCredential>
      <OutputCredential>useradmin</OutputCredential>
  </MapCredentials>

  <!-- group to policy mapping -->
  <MapCredentials>
      <InputCredential>useradmin</InputCredential>
      <OutputCredential>
        */*/access/username?Access=rwad
        */*/access/usergroup?Access=rwad
        */*/status/object-status?Access=r
        */*/login/web-mgmt?Access=x
      </OutputCredential>
  </MapCredentials>

Note: The InputCredential value is a PCRE regular expression, not a literal. In the example, the InputCredential 'user' matches any string containing 'user' as a substring (for example, 'users', 'user300', 'banned user'). To specify an exact match, specify the string '^user$'.

In the example, devadmin is mapped directly onto a policy that grants full access to appliance resources. user maps on the group useradmin, and the group useradmin is mapped onto a number of policies that give more restricted access to appliance resources. The example also shows an LDAP user mapped onto the group useradmin.

Access policies are described in Access policies.

You can, if required, configure an LDAP search to retrieve user groups from LDAP directories for XML file or local authenticated users. Returned user groups can then be mapped onto access policies defined in the XML file. In these cases you must configure the LDAP search so that the XML file or local user name is used as the input credential to the LDAP query. You might then need, for example, to append a common suffix to the user name to build an LDAP user distinguished name when querying the user's group membership.