Roles on the IBM MQ Console and REST API

When you authorize users and groups to use the IBM MQ Console or REST API, you must assign the users and groups one of three roles: MQWebAdmin, MQWebAdminRO, and MQWebUser. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted.

    MQWebAdmin
    A user or group that is assigned this role can perform all operations, and operates under the security context of the operating system user ID that is used to start the mqweb server.

    MQWebAdminRO
    This role gives read only access to the IBM MQ Console or REST API. A user or group that is assigned this role can perform the following operations:

    • Display and inquire operations on IBM MQ objects such as queues and channels.
    • Browse messages on queues.
    A user or group that is assigned this role operates under the security context of the operating system user ID that is used to start the mqweb server.

    MQWebUser
    A user or group that is assigned this role can perform any operation that the user ID is granted to perform on the queue manager. For example:

    • Start and stop operations on IBM MQ objects such as channels.
    • Define and set operations on IBM MQ objects such as queues and channels.
    • Display and inquire operations on IBM MQ objects such as queues and channels.
    A user or group that is assigned this role operates under the security context of the principal, and can perform only the operations that the user ID is granted to perform on the queue manager.
    Therefore, the user or group that is defined in the mqweb user registry must be given authority within IBM MQ before that user can perform any operations. By using this role, we can finely control which users have which type of access to specific IBM MQ resources when they use the IBM MQ Console and REST API.
    Note:

    • The maximum length of a user ID that is assigned this role is 12 characters.
    • The case of the user ID must be the same in the mqweb user registry and on the IBM MQ system. If the case of the user ID is different, the user might be authenticated by the IBM MQ Console and REST API but not authorized to use IBM MQ resources.

For more information about configuring users and groups to use these roles, see Configure users and roles.


Overlapping roles

A user or group can be assigned more than one role. When a user performs an operation in this situation, the highest privilege role that is applicable to the operation is used. For example, if a user with the roles MQWebAdminRO and MQWebUser performs an inquire queue operation, the MQWebAdminRO role is used and the operation is attempted under the context of the system user ID that started the web server. If that same user performs a define operation, the MQWebUser role is used, and the operation is attempted under the context of the principal.

MFT REST API security

For information about MFT users, roles, and security, see Configure MFT REST API security