I didn't make any changes inside management.xml file, so there's no "users" roles added:
<management-context xmlns="http://activemq.apache.org/schema";> <!-- <connector connector-port="1099"/>--> <authorisation> <allowlist> <entry domain="hawtio"/> </allowlist> <default-access> <!-- The "default-access" settings apply to every MBean not explicitly configured in the "allowlist" or "role-access" sections --> <!-- allow read-only access by default --> <access method="list*" roles="amq,manager,testgroup"/> <access method="get*" roles="amq,manager,testgroup"/> <access method="is*" roles="amq,manager,testgroup"/> <!-- don't allow write or other operations by default --> <access method="set*" roles="amq,manager"/> <access method="*" roles="amq,manager"/> </default-access> <role-access> <match domain="org.apache.activemq.artemis"> <access method="list*" roles="amq,manager,testgroup"/> <access method="get*" roles="amq,manager"/> <access method="is*" roles="amq,manager"/> <access method="set*" roles="amq,manager"/> <!-- Note count and browse are need to access the browse tab in the console --> <access method="browse*" roles="amq,manager"/> <access method="count*" roles="amq,manager"/> <access method="*" roles="amq,manager"/> </match> </role-access> </authorisation> </management-context> The only restriction I found in my very limited testing was that the user was unable to send a message through the console. Deleting queues, addresses and messages are all allowed and work. ________________________________ From: Domenico Francesco Bruscino <[email protected]> Sent: Friday, February 13, 2026 14:15 To: [email protected] <[email protected]> Subject: Re: Issues with user management? The management API RBAC is complementary to the addresses RBAC, see https://artemis.apache.org/components/artemis/documentation/latest/management.html#role-based-authorisation-for-jmx Can you share your management.xml file? Regards, Domenico On Fri, 13 Feb 2026 at 10:49, Gašper Čefarin <[email protected]<mailto:[email protected]>> wrote: Hi, Using apache artemis 2.50.0 and Artemis Console 1.5.0 - im trying to setup some "non-admin" users for console. I added a role named "users", added it to HAWTIO_ROLES inside artemis.profile, and set up permissions in broker.xml: <security-settings> <security-setting match="#"> <permission type="createNonDurableQueue" roles="amq,manager,producer"/> <permission type="deleteNonDurableQueue" roles="amq,manager"/> <permission type="createDurableQueue" roles="amq,manager,producer"/> <permission type="deleteDurableQueue" roles="amq,manager"/> <permission type="createAddress" roles="amq,manager,producer"/> <permission type="deleteAddress" roles="amq,manager"/> <permission type="consume" roles="amq,manager,consumer"/> <permission type="browse" roles="amq,manager,consumer,users"/> <permission type="send" roles="amq,manager,producer"/> <permission type="manage" roles="amq"/> </security-setting> Artemis-roles.properties: users = user This is the current config - before this, I added the "users" role to "consume" and "send" permissions as well. In all cases, the "user" can login but they can also delete queues and addresses. Queue-based operations look exactly the same as they do for a user with amq or manager role. Can anyone else reproduce? Gašper Čefarin T: +386 5 662 2700 E: [email protected]<mailto:[email protected]> W: www.actual-it.si<https://www.actual-it.si/> ACTUAL PRO d.o.o., Ferrarska ulica 14, 6000 Koper - Slovenija [cid:ii_19c57213fff577ac65e1]
