Roles on the IBM MQ Console and REST API
When you authorize users and groups to use the IBM MQ Console or REST API, you must assign the users and groups one of three roles: MQWebAdmin, MQWebAdminRO, and MQWebUser. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted.
- MQWebAdmin
- A user or group that is assigned this role can perform all operations, and operates under the security context of the operating system user ID that is used to start the mqweb server.
- MQWebAdminRO
- This role gives read only access to the IBM MQ Console or REST API. A user or group that is assigned this
role can perform the following operations:
- Display and inquire operations on IBM MQ objects such as queues and channels.
- Browse messages on queues.
- MQWebUser
- A user or group that is assigned this role can perform any operation that the user ID is granted
to perform on the queue manager. For example:
- Start and stop operations on IBM MQ objects such as channels.
- Define and set operations on IBM MQ objects such as queues and channels.
- Display and inquire operations on IBM MQ objects such as queues and channels.
For more information about configuring users and groups to use these roles, see Configure users and roles.
Overlapping roles
A user or group can be assigned more than one role. When a user performs an operation in this situation, the highest privilege role that is applicable to the operation is used. For example, if a user with the roles MQWebAdminRO and MQWebUser performs an inquire queue operation, the MQWebAdminRO role is used and the operation is attempted under the context of the system user ID that started the web server. If that same user performs a define operation, the MQWebUser role is used, and the operation is attempted under the context of the principal.
MFT REST API security
For information about MFT users, roles, and security, see Configure MFT REST API security