Control access to objects by using the OAM on UNIX, Linux, and Windows
The object authority manager (OAM) provides a command interface for granting and revoking authority to IBM MQ objects.
We must be suitably authorized to use these commands, as described in Authority to administer IBM MQ on UNIX, Linux, and Windows. User IDs that are authorized to administer IBM MQ have super user authority to the queue manager, which means that we do not have to grant them further permission to issue any MQI requests or commands.
- OAM user-based permissions on UNIX and Linux
From Version 8.0, on UNIX and Linux systems, the object authority manager (OAM) can use user-based authorization as well as group-based authorization. - Giving access to an IBM MQ object on UNIX, Linux, and Windows
Use the setmqaut control command, the SET AUTHREC MQSC command, or the MQCMD_SET_AUTH_REC PCF command to give users, and groups of users, access to IBM MQ objects. Note that on IBM MQ Appliance we can use only the SET AUTHREC command. - Use OAM generic profiles on UNIX, Linux, and Windows
Use OAM generic profiles to set, in a single operation, a user's privileges for many objects; rather than having to issue separate setmqaut commands, or SET AUTHREC commands, against each individual object when it is created. Note that on IBM MQ Appliance we can use only the SET AUTHREC command. - Display access settings on UNIX, Linux, and Windows
Use the dspmqaut control command, the DISPLAY AUTHREC MQSC command, or the MQCMD_INQUIRE_ENTITY_AUTH PCF command to view the authorizations that a specific principal or group has for a particular object. Note that on IBM MQ Appliance we can use only the DISPLAY AUTHREC command. - Change and revoking access to an IBM MQ object on UNIX, Linux, and Windows
To change the level of access that a user or group has to an object, use the setmqaut control command, the DELETE AUTHREC MQSC command, or the MQCMD_DELETE_AUTH_REC PCF command.
Note that on IBM MQ Appliance we can use only the DELETE AUTHREC command.
- Preventing security access checks on UNIX, Linux, and Windows systems
To turn off all security checking we can disable the object authority manager (OAM). This might be suitable for a test environment. Having disabled or removed the OAM, we cannot add an OAM to an existing queue manager.
Parent topic: Authorizing access to objects