+

Search Tips | Advanced Search

Authorizing users to use IBM MQ remotely

For to create and start queue managers when connected to IBM MQ remotely, we must have the Create global objects user access.


About this task

Note: Administrators have the Create global objects user access by default, so if we are an administrator we can create and start queue managers when connected remotely without altering your user rights.

If we are connecting to a Windows machine using either Terminal Services or a Remote Desktop Connection and you have problems creating, starting or deleting a queue manager this might be because we do not have the user access Create global objects.

The Create global objects user access limits the users authorized to create objects in the global namespace. In order for an application to create a global object, it must either be running in the global namespace, or the user under which the application is running must have the Create global objects user access applied to it.

When you connect remotely to a Windows machine using either Terminal Services or Remote Desktop Connection, applications run in their own local namespace. If you attempt to create or delete a queue manager using IBM MQ Explorer or the crtmqm or dltmqm command, or to start a queue manager using the strmqm command, it results in an authorization failure. This creates an IBM MQ FDC with Probe ID XY132002.

Starting a queue manager using the IBM MQ Explorer, or using the amqmdain qmgr start command works correctly because these commands do not directly start the queue manager. Instead the commands send the request to start the queue manager to a separate process running in the global namespace.

If the various methods of administering IBM MQ do not work when we use terminal services, try setting the Create global objects user right.


Procedure

  1. Open the Administrative Tools panel:

      Windows Server 2008 and Windows Server 2012
      Access this panel using Control Panel > System and Maintenance > Administrative Tools.

      Windows 8.1
      Access this panel using Administrative Tools > Computer Management

  2. Double-click Local Security Policy.
  3. Expand Local Policies.
  4. Click User Rights Assignment.
  5. Add the new user or group to the Create global objects policy.

Parent topic: Special considerations for security on Windows

Last updated: 2020-10-04