Plan authorization
Plan the users who will have administrative authority and plan how to authorize users of applications to appropriately use IBM MQ objects, including those connecting from an IBM MQ MQI client.
Individuals or applications must be granted access in order to use IBM MQ. What access they require depend on the roles they undertake and the tasks which they need to perform. Authorization in IBM MQ can be subdivided into two main categories:
- Authorization to perform administrative operations
- Authorization for applications to use IBM MQ
Both classes of operation are controlled by the same component and an individual can be granted authority to perform both categories of operation.
The following topics give further information about specific areas of authorization that we must consider:
- Authority to administer IBM MQ
IBM MQ administrators need authority to perform various functions. This authority is obtained in different ways on different platforms.- Authorization for applications to use IBM MQ
When applications access objects, the user IDs associated with the applications need appropriate authority.- Security for remote messaging
This section deals with remote messaging aspects of security.- Use a custom authorization service
IBM MQ supplies an installable authorization service. We can choose to install an alternative service.- Access control for clients
Access control is based on user IDs. There can be many user IDs to administer, and user IDs can be in different formats. We can set the server-connection channel property MCAUSER to a special user ID value for use by clients.Parent topic: Plan for the security requirements