Roles on the IBM MQ Console and REST API

When you authorize users and groups to use the IBM MQ Console or REST API, we must assign the users and groups one of the available roles: MQWebAdmin, MQWebAdminRO, MQWebUser, MFTWebAdmin, and MFTWebAdminRO. Each role provides different levels of privilege to access the IBM MQ Console and REST API, and determines the security context that is used when an allowed operation is attempted.

MQWebAdmin

A user or group that is assigned this role can perform all administrative operations, and operates under the security context of the operating system user ID that is used to start the mqweb server.

A user or group with this role does not have access to the following REST services:

• The REST API for MFT. To use these services, the user or group must also be assigned the MFTWebAdmin or MFTWebAdminRO role.
• The messaging REST API. To use the messaging REST API, the user must be assigned the MQWebUser role.

MQWebAdminRO

This role gives read only access to the IBM MQ Console or REST API. A user or group that is assigned this role can perform the following operations:

• Display and inquire operations on IBM MQ objects such as queues and channels.
• Browse messages on queues.

A user or group that is assigned this role operates under the security context of the operating system user ID that is used to start the mqweb server.

A user or group with this role does not have access to the following REST services:

• The REST API for MFT. To use these services, the user or group must also be assigned the MFTWebAdmin or MFTWebAdminRO role.
• The messaging REST API. To use the messaging REST API, the user must be assigned the MQWebUser role.

MQWebUser

A user or group that is assigned this role can perform any operation that the user ID is granted to perform on the queue manager. For example:

• Start and stop operations on IBM MQ objects such as channels.
• Define and set operations on IBM MQ objects such as queues and channels.
• Display and inquire operations on IBM MQ objects such as queues and channels.
• Put and get messages using the messaging REST API.

A user or group that is assigned this role operates under the security context of the principal, and can perform only the operations that the user ID is granted to perform on the queue manager.

Therefore, the user or group that is defined in the mqweb user registry must be given authority within IBM MQ before that user can perform any operations. By using this role, we can finely control which users have which type of access to specific IBM MQ resources when they use the IBM MQ Console and REST API.

Note:

• The maximum length of a user ID that is assigned this role is 12 characters.
• The case of the user ID must be the same in the mqweb user registry and on the IBM MQ system. If the case of the user ID is different, the user might be authenticated by the IBM MQ Console and REST API but not authorized to use IBM MQ resources.

A user or group with this role does not have access to any of the REST API for MFT services. To use these services, the user or group must also be assigned the MFTWebAdmin or MFTWebAdminRO role.

MFTWebAdmin

A user or group assigned this role can perform all MFT REST operations, and operates under the security context of the operating system user ID that is used to start the mqweb server.

A user or group with this role does not have access to any of the IBM MQ REST API services. To use these services, the user or group must also be assigned the MQWebAdmin, MQWebAdminRO, or MQWebUser role.

MFTWebAdminRO

This role gives read only access to the REST API for MFT . A user or group that is assigned this role can perform read only operations (GET requests) like list transfer and list agents.

A user or group that is assigned this role operates under the security context of the operating system user ID that is used to start the mqweb server.

A user or group with this role does not have access to any of the IBM MQ REST API services. To use these services, the user or group must also be assigned the MQWebAdmin, MQWebAdminRO, or MQWebUser role.

For more information about configuring users and groups to use these roles, see Configure users and roles.

Overlapping roles

A user or group can be assigned more than one role. When a user performs an operation in this situation, the highest privilege role that is applicable to the operation is used. For example, if a user with the roles MQWebAdminRO and MQWebUser performs an inquire queue operation, the MQWebAdminRO role is used and the operation is attempted under the context of the system user ID that started the web server. If that same user performs a define operation, the MQWebUser role is used, and the operation is attempted under the context of the principal.