Authorizing access to objects

This section contains information about using the object authority manager and channel exit programs to control access to objects.

On UNIX, Linux, and Windows systems. you control access to objects by using the object authority manager (OAM). This collection of topics contains information about using the command interface to the OAM.

This section also contains a checklist we can use to determine what tasks to perform to apply security to the system on all platforms, and considerations for granting users the authority to administer IBM MQ and to work with IBM MQ objects.

If the supplied security mechanisms do not meet your needs, we can develop your own channel exit programs.

• Control access to objects by using the OAM on UNIX, Linux, and Windows
  The object authority manager (OAM) provides a command interface for granting and revoking authority to IBM MQ objects.
• Granting required access to resources
  Use this topic to determine what tasks to perform to apply security to the IBM MQ system on UNIX, Linux, Windows, IBM i, and z/OS .
• Authority to administer IBM MQ on UNIX, Linux, and Windows
  IBM MQ administrators can use all IBM MQ commands and grant authorities for other users. When administrators issue commands to remote queue managers, they must have the required authority on the remote queue manager. Further considerations apply to Windows systems.
• Authority to work with IBM MQ objects on UNIX, Linux, and Windows
  All objects are protected by IBM MQ, and principals must be given appropriate authority to access them. Different principals need different access rights to different objects.
• Implement access control in security exits
  We can implement access control in a security exit by use of the MCAUserIdentifier or the object authority manager.
• Implement access control in message exits
  We might need to use a message exit to substitute one user ID with another.
• Implement access control in the API exit and API-crossing exit
  An API or API-crossing exit can provide access controls to supplement those provided by IBM MQ. In particular, the exit can provide access control at the message level. The exit can ensure that an application puts on a queue, or gets from a queue, only those messages that satisfy certain criteria.

Parent topic: Securing IBM MQ