The Solace broker has three kinds of users - one kind for working in the SolOS shell (that is the Linux shell, not the CLI), one kind for connecting to the management bus (aka usernames) and one kind for connecting to the message bus (aka client-usernames).
There are two types of management users: CLI users and File Transfer users.
The kind of user that makes SEMP requests is the management “username”, CLI subtype. This kind of user is created with the “create username” CLI command.
The data bus users are created with the “create client-username” command. (This is only mentioned here to alert you to the similar name and command - username vs client-username - to avoid confusion. The rest of this post will not talk about client-usernames or Linux shell users.)
Usernames have individual authorization/authentication settings.
You can make a new username on the management bus just for handling the SEMP queries, and you can give that username separate permissions on the system data and the per-message-vpn data.
Access to the system data is divided into categories. The levels of access to the system data are:
-
admin (full permission) -
read-write -
read-only -
none
Access to the message-vpn data is also divided into categories. The levels of access are:
-
read-write -
read-only -
none
Also, the username can have individual per-message-vpn permissions on each of the message-vpns, and some default permissions for any message-vpns that are not among the exceptions.
A username with read-only permission on the system data and with default read-only permission on the message-vpns can give any commands that can be done with read-only permission. If that username gives commands that require read-write or admin permission, those commands fail with a response like:
`<permission-error>Command prohibited due to Authorization Access Level</permission-error>`
Some documentation links on usernames:
Management User Authentication / Authorization
Show Username Info
enable configure username
enable configure username message-vpn
Finally, one last point - there are two versions of SEMP - “legacy” SEMP and SEMP/v2. SEMP/v2 is not fully implemented, and specifically the implementation to date has concentrated on the per-message-vpn data - so, currently, if you want to get any system data you must use legacy SEMP.