Sending you the logs personally in a separate email, if you don't mind. I did 4 actions as the "user" user:
Send message (denied) Delete message (successful) Delete queue (successful) Delete address (successful) Unlike when deleting a queue, there's no info about an address being deleted in the logs, I tested it 3 times. I'm not sure if "anonymous" user has something to do with all this, and I think it's also worth mentioning that this broker has been updated twice, so it's not a fresh 2.50 install (I think I started with 2.37, and updated to 2.41 before going to 2.50). Gašper Čefarin T: +386 5 662 2700 E: [email protected] W: www.actual-it.si<https://www.actual-it.si/> ACTUAL PRO d.o.o., Ferrarska ulica 14, 6000 Koper - Slovenija [cid:actual_pro_hor_rgb_72dpi_e2f0ad25-fa2a-42e8-b7fc-f38e9e2722ff.png] ________________________________ From: Domenico Francesco Bruscino <[email protected]> Sent: Monday, February 16, 2026 18:17 To: [email protected] <[email protected]> Subject: Re: Issues with user management? I'm not able to reproduce this issue. Can you enable the audit.log in log4j2.properties and share it after deleting a test address? On Sat, 14 Feb 2026 at 09:30, Gašper Čefarin <[email protected]> wrote: > I didn't make any changes inside management.xml file, so there's no > "users" roles added: > > <management-context xmlns="http://activemq.apache.org/schema";> > <!-- <connector connector-port="1099"/>--> > <authorisation> > <allowlist> > <entry domain="hawtio"/> > </allowlist> > <default-access> > <!-- > The "default-access" settings apply to every MBean not explicitly > configured > in the "allowlist" or "role-access" sections > --> > > <!-- allow read-only access by default --> > <access method="list*" roles="amq,manager,testgroup"/> > <access method="get*" roles="amq,manager,testgroup"/> > <access method="is*" roles="amq,manager,testgroup"/> > > <!-- don't allow write or other operations by default --> > <access method="set*" roles="amq,manager"/> > <access method="*" roles="amq,manager"/> > </default-access> > <role-access> > <match domain="org.apache.activemq.artemis"> > <access method="list*" roles="amq,manager,testgroup"/> > <access method="get*" roles="amq,manager"/> > <access method="is*" roles="amq,manager"/> > <access method="set*" roles="amq,manager"/> > <!-- Note count and browse are need to access the browse tab > in the console --> > <access method="browse*" roles="amq,manager"/> > <access method="count*" roles="amq,manager"/> > <access method="*" roles="amq,manager"/> > </match> > > </role-access> > </authorisation> > </management-context> > > > The only restriction I found in my very limited testing was that the user > was unable to send a message through the console. Deleting queues, > addresses and messages are all allowed and work. > ------------------------------ > *From:* Domenico Francesco Bruscino <[email protected]> > *Sent:* Friday, February 13, 2026 14:15 > *To:* [email protected] <[email protected]> > *Subject:* Re: Issues with user management? > > The management API RBAC is complementary to the addresses RBAC, see > https://artemis.apache.org/components/artemis/documentation/latest/management.html#role-based-authorisation-for-jmx > > Can you share your management.xml file? > > Regards, > Domenico > > On Fri, 13 Feb 2026 at 10:49, Gašper Čefarin <[email protected]> > wrote: > > Hi, > > Using apache artemis 2.50.0 and Artemis Console 1.5.0 - im trying to > setup some "non-admin" users for console. > I added a role named "users", added it to HAWTIO_ROLES inside > artemis.profile, and set up permissions in broker.xml: > > <security-settings> > <security-setting match="#"> > <permission type="createNonDurableQueue" > roles="amq,manager,producer"/> > <permission type="deleteNonDurableQueue" roles="amq,manager"/> > <permission type="createDurableQueue" > roles="amq,manager,producer"/> > <permission type="deleteDurableQueue" roles="amq,manager"/> > <permission type="createAddress" roles="amq,manager,producer"/> > <permission type="deleteAddress" roles="amq,manager"/> > <permission type="consume" roles="amq,manager,consumer"/> > <permission type="browse" roles="amq,manager,consumer,users"/> > <permission type="send" roles="amq,manager,producer"/> > <permission type="manage" roles="amq"/> > </security-setting> > > Artemis-roles.properties: > users = user > > This is the current config - before this, I added the "users" role to > "consume" and "send" permissions as well. > In all cases, the "user" can login but they can also delete queues and > addresses. Queue-based operations look exactly the same as they do for a > user with amq or manager role. > > Can anyone else reproduce? > > > Gašper Čefarin > > > T: +386 5 662 2700 > > E: [email protected] > > W: www.actual-it.si<http://www.actual-it.si> > > ACTUAL PRO d.o.o., Ferrarska ulica 14, 6000 Koper - Slovenija > > [image: Actual_PRO_hor_rgb_72dpi.png] > > >
