When you authorize users and groups to use the IBM® MQ Console or REST API, you must assign the users and groups one of the
available roles: MQWebAdmin, MQWebAdminRO,
MQWebUser, MFTWebAdmin, and
MFTWebAdminRO. Each role provides different levels of privilege to access the
IBM MQ Console and REST API, and determines the security context that is used
when an allowed operation is attempted.
Note: With the exception of the
MQWebUser role, the user ID is not case
sensitive. See
MQWebUser for the specific requirements for
this role.
- MQWebAdmin
- A user or group that is assigned this role can perform all administrative operations, and
operates under the security context of the operating system user ID that is used to start the mqweb
server.
- A user or group with this role does not have access to the following REST services:
- The REST API for MFT. To use these services, the user or group must also
be assigned the MFTWebAdmin or MFTWebAdminRO role.
- The messaging REST API. To use the messaging REST API, the user must be assigned the
MQWebUser role.
- MQWebAdminRO
- This role gives read only access to the IBM MQ Console or REST API. A user or group that is assigned this
role can perform the following operations:
- Display and inquire operations on IBM MQ objects
such as queues and channels.
- Browse messages on queues.
- A user or group that is assigned this role operates under the security context of the operating
system user ID that is used to start the mqweb server.
- A user or group with this role does not have access to the following REST services:
- The REST API for MFT. To use these services, the user or group must also
be assigned the MFTWebAdmin or MFTWebAdminRO role.
- The messaging REST API. To use the messaging REST API, the user must be assigned the
MQWebUser role.
- MQWebUser
- A user or group that is assigned this role can perform any operation that the user ID is granted
to perform on the queue manager. For example:
- Start and stop operations on IBM MQ objects such as
channels.
- Define and set operations on IBM MQ objects such as
queues and channels.
- Display and inquire operations on IBM MQ objects
such as queues and channels.
- Put and get messages using the messaging REST API.
- A user or group that is assigned this role operates under the security context of the principal,
and can perform only the operations that the user ID is granted to perform on the queue
manager.
- Therefore, the user or group that is defined in the mqweb user registry must be given authority
within IBM MQ before that user can perform any
operations. By using this role, you can finely control which users have which type of access to
specific IBM MQ resources when they use the IBM MQ Console and REST API.
-
Note:
- The maximum length of a user ID that is assigned this role is 12 characters.
- The case of the user ID must be the same in the mqweb user registry and on the IBM MQ system. If the case of the user ID is different, the user
might be authenticated by the IBM MQ Console and REST API but not authorized to use IBM MQ resources.
- A user or group with this role does not have access to any of the REST API for MFT services. To use these services, the user or group
must also be assigned the MFTWebAdmin or MFTWebAdminRO
role.
- MFTWebAdmin
- A user or group assigned this role can perform all MFT REST operations, and operates under the security
context of the operating system user ID that is used to start the
mqweb
server.
- A user or group with this role does not have access to any of the IBM MQ
REST API services. To use these services, the user
or group must also be assigned the MQWebAdmin,
MQWebAdminRO, or MQWebUser role.
- MFTWebAdminRO
- This role gives read only access to the REST API
for MFT . A user or group that is assigned
this role can perform read only operations (GET requests) like list transfer and list agents.
- A user or group that is assigned this role operates under the security context of the operating
system user ID that is used to start the mqweb server.
- A user or group with this role does not have access to any of the IBM MQ
REST API services. To use these services, the user or
group must also be assigned the MQWebAdmin, MQWebAdminRO,
or MQWebUser role.
For more information about configuring users and groups to use these roles, see Configuring users and roles.
Overlapping roles
A user or group can be assigned more than one role. When a user performs an operation in this
situation, the highest privilege role that is applicable to the operation is used. For example, if a
user with the roles MQWebAdminRO and MQWebUser performs an
inquire queue operation, the MQWebAdminRO role is used and the operation is
attempted under the context of the system user ID that started the web server. If that same user
performs a define operation, the MQWebUser role is used, and the operation is
attempted under the context of the principal.