Role based management

Appliance users and their permissions are controlled by role based management.

You configure role based management to determine how users logging into the appliance are authenticated. You also set up access profiles to determine what appliance resources users can work with after they are authenticated.

You can configure role based management by using the IBM® MQ Appliance web UI, the command line interface, or the REST API.

If you use external LDAP servers for user authentication, be aware that these servers might potentially be a weakness in your security setup. You must take the necessary steps to ensure that the LDAP servers are themselves secure.

User authentication

You can configure role based management to authenticate users in one of the following ways:

LDAP: The appliance authenticates users remotely by using an LDAP server. You can also define local users to fall back to if the LDAP server is not available.
Local user: When authentication is local, authentication is performed by the appliance by using user name and password.
XML file: User names and passwords can be specified in an XML file. You can store the XML file on the appliance or on a remote server. You can use the same XML file to define access policies.
TLS user certificate: Users can authenticate to the Web UI or REST API on the appliance by means of a TLS user certificate. User name and password are not required.
OIDC: Users can authenticate to the Web UI on the appliance by using OpenID Connect (OIDC). User name and password are not required.

You can specify how users are authenticated to the appliance CLI by configuring the SSH authentication method. You can set up authentication by user certificate or by password. You can define appliance CLI users as local users, or by using LDAP (you cannot use an XML file). When you use LDAP, you can define the user directly, or configure a look up, but in either case you are only retrieving the user ID at log in. The actual authentication is carried out by the SSH service.

User authorization

You can configure role based management to authorize users to use appliance resources by selecting one of the following credential mapping methods:

Local user group: Specify access profiles in the local user groups on the appliance. You can map user groups or individual users looked up on an LDAP server onto local user groups, which allows a user to belong to multiple role-based groups.
XML file: Specify access policies in an XML file. You can store the XML file on the appliance or on a remote server. You can use the RBM builder on the appliance to define access profiles. You can map user groups or individual users looked up on an LDAP server onto policies that are defined in an XML file.

User authorization enforces access privileges for one or more resources on the appliance. These privileges can be quite broad or very specific. The privileges are combined together to form an access profile. See User authorization, credential mapping, and access profiles for detailed information.

The following table illustrates the permitted mixes of authentication and authorization methods on the appliance.

Table 1. Permitted combinations of authentication and authorization methods
	Local user group authorization	XML file authorization
LDAP authentication	Yes	Yes
Local user authentication	Yes	Yes
XML file authentication	Yes	Yes
TLS user certificate authentication		Yes
OIDC		Yes