User IDs

When you create user IDs for client applications, the user IDs must not be longer than the maximum permitted length. We must not use the reserved user IDs UNKNOWN and NOBODY. If the server that the client connects to is an IBM MQ for Windows server, we must escape the use of the at sign, @. The permitted length of user IDs is dependent on the platform that is used for the server:

• On z/OS and UNIX and Linux, the maximum length of a user ID is 12 characters.
• On IBM i, the maximum length of a user ID is 10 characters.
• On Windows, if both the IBM MQ MQI client, and the IBM MQ server are on Windows, and the server has access to the domain on which the client user ID is defined, the maximum length of a user ID is 20 characters. However, if the IBM MQ server is not a Windows server, the user ID is truncated to 12 characters. You can use the MQCSP structure to avoid the truncation of the user ID.
• If we use the MQCSP structure to pass credentials, the maximum length of a user ID is 1024 characters. For more information about the MQCSP structure, see Identifying and authenticating users using the MQCSP structure.

Although user IDs are used to authenticate, groups are used for authorization, except for Windows.

If you create service accounts, without paying attention to groups, and authorize all the user IDs differently, every user can access the information of every other user.

Restricted user IDs

The user IDs UNKNOWN and NOBODY have special meanings to IBM MQ. Creating user IDs in the operating system called UNKNOWN or NOBODY could have unintended results.

User IDs when connecting to an IBM MQ for Windows server

An IBM MQ for Windows server does not support the connection of a Windows client if the client is running under a user ID that contains the @ character, for example, abc@d. The return code to the MQCONN call at the client is MQRC_NOT_AUTHORIZED.

However, we can specify the user ID using two @ characters, for example, abc@@d. Using the id@domain format is the preferred practice, to ensure that the user ID is resolved in the correct domain consistently; thus abc@@d@domain.