IBM Cloud Docs
Users and Applications

Users and Applications

IBM® MQ as a Service access control is managed by the IBM Cloud® Identity and Access Management(IAM) service. Permissions in IBM Cloud are mapped to access rights in the IBM MQ queue managers within your IBM MQ service instance. The following describes how that mapping is achieved.

IBM® MQ as a Service makes a distinction between Administrators and Applications - which in IAM terminology are equivalent to UsersAn IBMid or SoftLayer ID that is used as a person's identity in an account. and Service IDsAn identity that authenticates a service or an application to a cloud environment and other services. A service ID can be assigned access policies and used to enable an application that is deployed to a cloud environment access to cloud services.. Both these entities are capable of accessing an IBM MQ queue manager but they are in different groups and have different access rights.

Administrators are given an IAM access policyA method for granting users, service IDs, and access groups access to account resources. An access policy includes a subject, target, and role. which automatically adds them to the standard mqm group for all queue managers in their service instance, and therefore they have full administrator access rights.

Applications are given an IAM access policy which automatically adds them to the mqwriters group - this group gives applications permission to read/write to queues in the queue manager, but does not give them administration privileges.

On deployment of a queue manager within IBM® MQ as a Service, two channels are created for you:

  • CLOUD_ADMIN_SVRCONN is a channel for administration, and is therefore accessible by Administrators.
  • CLOUD_APP_SVRCONN is a channel for queue access, and it therefore available to Applications.

MQ Usernames

To access a queue manager using IBM MQ - a username and a password are required. The username is restricted to 12 characters and must only contain lowercase (a-z) and numbers (0-9).

When creating users and applications in IBM® MQ as a Service, you are required to give these entities a name (for an administrator, this must be a valid email address) from which a shorter name called an MQ username is generated. This shorter user name is based on the email address, but is guaranteed to be unique within the service instance, and also conform to the required format of an IBM MQ username.

Passwords

At the MQ SaaS level, access control is implemented using API keysA unique code that is used to authenticate and authorize API requests. The code is passed to an API to identify the calling application or user and to track and control how the API is used.. These are used by our system as the passwords associated with users and applications at the IBM MQ level.

In the panel showing the list of queue managers in your service instance, you will find two tabs which allow you to create user credentials and application credentials.

Image showing tabs in an IBM® MQ as a Service service instance

Administrators must generate and use their own Administrator API key. This must be used as their password to connect to a queue manager.

The Application credentials panel allows you to create an individual API key associated with a specific application. This is the password to be used with that application when connecting to all queue managers in your service instance - thus each application has a different password.