When authority checks are performed
Authority checks are performed when an application attempts to access a queue manager, queue, process, or namelist.
On IBM i, authority checks might also be performed when a user issues a CL command in Group 2 that accesses any of these IBM MQ objects. The checks are performed in the following circumstances:
- When an application connects to a queue manager using an MQCONN or MQCONNX call
- The queue manager asks the operating system for the user ID associated with the application. The queue manager then checks that the user ID is authorized to connect to it and retains the user ID for future checks.
Users do not have to sign on to IBM MQ. IBM MQ assumes that users are signed on to the underlying operating system and are been authenticated by it.
- When an application opens an IBM MQ object using an MQOPEN or MQPUT1 call
- All authority checks are performed when an object is opened, not when it is accessed later. For example, authority checks are performed when an application opens a queue. They are not performed when the application puts messages on the queue or gets messages from the queue.
When an application opens an object, it specifies the types of operation it needs to perform on the object. For example, an application might open a queue to browse the messages on it, get messages from it, but not to put messages on it. For each type of operation, the queue manager checks that the user ID associated with the application has the authority to perform that operation.
When an application opens a queue, the authority checks are performed against the object named in the ObjectName field of the object descriptor. The ObjectName field is used on the MQOPEN or MQPUT1 calls. If the object is an alias queue or a remote queue definition, the authority checks are performed against the object itself. They are not performed on the queue to which the alias queue or the remote queue definition resolves. This means that the user does not need permission to access it. Limit the authority to create queues to privileged users. If we do not, users might bypass the normal access control simply by creating an alias.
An application can reference a remote queue explicitly. It sets the ObjectName and ObjectQMgrName fields in the object descriptor to the names of the remote queue and the remote queue manager. The authority checks are performed against the transmission queue with the same name as the remote queue manager. On z/OS, a check is made on the RACF queue profile that matches the remote queue manager name. On Multiplatforms, a check is made against the RQMNAME profile that matches the remote queue manager name, if clustering is being used. An application can reference a cluster queue explicitly by setting the ObjectName field in the object descriptor to the name of the cluster queue. The authority checks are performed against the cluster transmission queue, SYSTEM.CLUSTER.TRANSMIT.QUEUE.
The authority to a dynamic queue is based on the model queue from which it is derived, but is not necessarily the same; see note 1.
The user ID that the queue manager uses for the authority checks is obtained from the operating system. The user ID is obtained when the application connects to the queue manager. A suitably authorized application can issue an MQOPEN call specifying an alternative user ID; access control checks are then made on the alternative user ID. Using an alternate user ID does not change the user ID associated with the application, only the one used for access control checks.
- When an application subscribes to a topic using an MQSUB call
- When an application subscribes to a topic, it specifies the type of operation that it needs to perform. It is either creating a subscription, altering an existing subscription, or resuming an existing subscription without changing it. For each type of operation, the queue manager checks that the user ID that is associated with the application has the authority to perform the operation.
When an application subscribes to a topic, the authority checks are performed against topic objects that are found in the topic tree. The topic objects are at, or above, the point in the topic tree at which the application subscribed. The authority checks might involve checks on more than one topic object. The user ID that the queue manager uses for the authority checks is obtained from the operating system. The user ID is obtained when the application connects to the queue manager.
The queue manager performs authority checks on subscriber queues but not on managed queues.
- When an application deletes a permanent dynamic queue using an MQCLOSE call
- The object handle specified on the MQCLOSE call is not necessarily the same one returned by the MQOPEN call that created the permanent dynamic queue. If it is different, the queue manager checks the user ID associated with the application that issued the MQCLOSE call. It checks that the user ID is authorized to delete the queue.
When an application that closes a subscription to remove it did not create it, the appropriate authority is required to remove it.
- When a PCF command that operates on an IBM MQ object is processed by the command server
- This rule includes the case where a PCF command operates on an authentication information object.
The user ID that is used for the authority checks is the one found in the UserIdentifier field in the message descriptor of the PCF command. This user ID must have the required authorities on the queue manager where the command is processed. The equivalent MQSC command encapsulated within an Escape PCF command is treated in the same way. For more information about the UserIdentifier field, and how it is set, see Message context.
- On IBM i, when a user issues a CL command in Group 2 that operates on an IBM MQ object
- This rule includes the case where a CL command in Group 2 operates on an authentication information object.
Checks are performed to determine whether the user has the authority to operate on an IBM MQ object associated with the command. The checks are performed unless the user is a member of the QMQMADM group or has *ALLOBJ authority. The authority required depends on the type of operation that the command performs on the object. For example, the command CHGMQMQ, Change MQM Queue, requires the authority to change the attributes of the queue specified by the command. In contrast, the command DSPMQMQ, Display MQM Queue, requires the authority to display the attributes of the queue specified by the command.
Many commands operate on more than one object. For example, to issue the command DLTMQMQ, Delete MQM Queue, the following authorities are required:
- The authority to connect to the queue manager specified by the command
- The authority to delete the queue specified by the command
Some commands operate on no object at all. In this case, the user requires only IBM i authority to issue one of these commands. STRMQMLSR, Start MQM Listener, is an example of such a command.
Parent topic: Authorization for applications to use IBM MQ