The other day I was trying to recreate an issue with the MQ Appliance and the MQ REST API. I followed the information on this page stating that users must be a member of a group with access to one or both of the mq/webadmin or mq/webuser resources. Having done that, I tried calling the REST API and got rejected with a HTTP 403 status code indicating that I didn’t have suitable access.

With a bit of digging I realised that users of the MQ REST API must first be granted the ability to use the general MQ Appliance REST management interface. I.e their group must have the following resource access:

*/*/login/rest-mgmt?Access=r

Once that was done everything worked fine. We will be getting our documentation updated to make this more obvious, but to summarise here are the resources you need access to on the MQ Appliance to make use of the MQ REST API. Details on the three MQWeb* roles are described here.

To make the user a member of the MQWebAdmin role, they need to have the following resource access:

*/*/login/rest-mgmt?Access=r
*/*/mq/webadmin?Access=w

To make the user a member of the MQWebAdminRO role, they need to have the following resource access:

*/*/login/rest-mgmt?Access=r
*/*/mq/webadmin?Access=r

To make the user a member of the MQWebUser role, they need to have the following resource access:

*/*/login/rest-mgmt?Access=r
*/*/mq/webuser?Access=x

You can also make a user a member of both the MQWebAdminRO and MQWebUser roles by giving them the following resource access:
*/*/login/rest-mgmt?Access=r
*/*/mq/webadmin?Access=r
*/*/mq/webuser?Access=x

Hopefully this will prevent you scratching your head, because I certainly spent some time scratching mine!

Leave a Reply