IBM Cloud Docs
Managing Users and Permissions

Managing Users and Permissions

IBM Cloud® Messages for RabbitMQ uses RabbitMQ's built-in access control.

When you provision a new deployment in IBM Cloud, you are automatically given an admin user to access and manage RabbitMQ. You can also add users in the Service Credentials panel, which allows for access to RabbitMQ to be integrated with your IBM Cloud account and IAM, with the Cloud Databases CLI plug-in, or the Cloud Databases API.

Since Messages for RabbitMQ comes with the RabbitMQ Management plug-in enabled, user access is also controlled by user tags. These tags control what information is available to users through the management UI, rabbitmqadmin, and the RabbitMQ HTTP API.

The admin user

Every RabbitMQ deployment comes with an admin user. This admin user had full administrative privileges on your RabbitMQ deployment. The primary difference between the admin user and any other users you add to your deployment is the ability to provision new vhosts and manage all other users' permissions and access. admin is the only user that is initially granted access to all the settings and configuration that is found in the Admin tab in the management UI.

Before you log in with the admin user, set the password.

Setting the Admin Password in the UI

Set your Admin Password through the UI by selecting your instance from the Resource List in the IBM Cloud Dashboard. Then, select Settings. Next, select Change Database Admin Password.

Setting the Admin Password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for a deployment named example-deployment, use the following command:

ibmcloud cdb user-password example-deployment admin <newpassword>

Setting the Admin Password in the API

The Foundation Endpoint that is shown on the Overview panel Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

Service Credential Users

Users that you create through the Service Credentials panel are given full permissions to configure, write, and read on the default Virtual Host.

They are also automatically tagged with the "monitoring" tag, allowing users to access the management plug-in and see all connections, channels, and node-related information. These users given a limited view of the Admin tab and the functions that are found there.

If you need users that are created from Service Credentials to have more privileges, you can log in with the admin user and grant them.

Users created through the CLI

Users that you create through the Cloud Databases CLI plug-in are given the same permissions as Service Credential users. They have full permissions on the default Virtual Host and are tagged with the "monitoring" tag. If you need them to have more privileges, you can grant them while logged in with the admin user.

Users that are created directly from the CLI do not appear in Service Credentials, but you can add them if you choose.

Users created through the API

Users that you create through the Cloud Databases API are given the same permissions as Service Credential users. They have full permissions on the default Virtual Host and are tagged with the "monitoring" tag. If you need them to have more privileges, you can grant them while logged in with the admin user.

Users that are created directly from the API do not appear in Service Credentials, but you can add them if you choose.

RabbitMQ Users

Bypass creating users in Service Credentials and create users directly in RabbitMQ. The RabbitMQ Management plug-in UI has a tab for user creation and management available to the admin user on your deployment.

Users who are created directly in RabbitMQ do not appear in Service Credentials, but you can add them. These users will not be integrated with IAM controls, even if added to Service Credentials.

The ibm user

If you log in to the management UI with your admin user, you might have noticed a user that is named ibm. The ibm user is the internal administrative account that manages replication, metrics, and other functions that ensure the stability of your deployment. It has the same permission levels and tags as the provided admin user. Changes to the ibm account are not advised and can disrupt the availability of your deployment.